January 28, 2019
On December 13th 2018, many institutions across Canada and the US received email messages containing bomb threats demanding a large ransom in Bitcoin. It caused concern, confusion, evacuations, closures, and lockdowns. The most recent news from the investigation reveals that domains owned by large corporations such as Expedia, Mozilla, and Yelp were used by the scammers to send out these hoaxes. The researchers also believe [1] that the scammers successfully hijacked Domain Name Service (DNS) records of so called “orphan” domains owned by these companies by exploiting a weakness in a well-known managed DNS service.
Other security researchers have recently revealed details of this new global DNS hijacking campaign [2] and the US Department of Homeland Security (DHS) has also released an emergency directive on DNS Security [3]. That directive calls on anyone managing government agency-managed domains to take immediate steps to resolve these issues DNS issues and claims that "attackers have redirected and intercepted web and mail traffic, and could do so for other networked services."
The Domain Name System (DNS) is similar to a phone directory of the Internet, connecting domain names (uoguelph.ca) to internet addresses (131.104.93.93). It’s an essential service for most of our internet services, including web browsing and email. If an attacker is able to hijack DNS, they can redirect user traffic from legitimate servers to ones under the attacker’s control. This could potentially be achieved through the use of malware (DNSchanger is an example), stolen or compromised administrator credentials, or exploiting a weakness in the DNS servers themselves, which appears to be the case in this attack.
If you own or manage a domain name, InfoSec encourages you to review and follow the DHS directive to harden your DNS services by taking the following steps:
- Audit your DNS records for accuracy
- Take this opportunity to change the passwords for accounts that have DNS administration privileges
- Take advantage of two-factor authentication if your provider has made it available.
Written by: Hanna Guan (Cyber Security Analyst, Information Security)