Worst DNS attacks and how to mitigate them
- 19 July, 2019 05:00
The Domain Name System remains under constant attack, and there seems to be no end in sight as threats grow increasingly sophisticated.
DNS, known as the internet’s phonebook, is part of the global internet infrastructure that translates between familiar names and the numbers computers need to access a website or send an email. While DNS has long been the target of assailants looking to steal all manner of corporate and private information, the threats in the past year or so indicate a worsening of the situation.
IDC reports that 82% of companies worldwide have faced a DNS attack over the past year. The research firm recently published its fifth annual Global DNS Threat Report, which is based on a survey IDC conducted on behalf of DNS security vendor EfficientIP of 904 organizations across the world during the first half of 2019.
According to IDC's research, the average costs associated with a DNS attack rose by 49% compared to a year earlier. In the U.S., the average cost of a DNS attack tops out at more than $1.27 million. Almost half of respondents (48%) report losing more than $500,000 to a DNS attack, and nearly 10% say they lost more than $5 million on each breach. In addition, the majority of U.S. organizations say that it took more than one day to resolve a DNS attack.
“Worryingly, both in-house and cloud applications were damaged, with growth of over 100% for in-house application downtime, making it now the most prevalent damage suffered,” IDC wrote. "DNS attacks are moving away from pure brute-force to more sophisticated attacks acting from the internal network. This will force organizations to use intelligent mitigation tools to cope with insider threats."
Sea Turtle DNS hijacking campaign
An ongoing DNS hijacking campaign known as Sea Turtle is one example of what's occuring in today's DNS threat landscape.
In April, Talos released a report detailing Sea Turtle and calling it the “first known case of a domain name registry organization that was compromised for cyber espionage operations.” Talos says the ongoing DNS threat campaign is a state-sponsored attack that abuses DNS to harvest credentials to gain access to sensitive networks and systems in a way that victims are unable to detect, which displays unique knowledge on how to manipulate DNS.
By obtaining control of victims’ DNS, the attackers can change or falsify any data on the Internet and illicitly modify DNS name records to point users to actor-controlled servers; users visiting those sites would never know, Talos reports.
The hackers behind Sea Turtle appear to have regrouped after the April report from Talos and are redoubling their efforts with new infrastructure – a move Talos researchers find to be unusual: “While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward,” Talos wrote in July.
“Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records,” Talos stated.
“This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain [that] uses that particular country code; that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent,” Talos wrote.
DNSpionage attack upgrades its tools
Another newer threat to DNS comes in the form of an attack campaign called DNSpionage.
DNSpionage initially used two malicious websites containing job postings to compromise targets via crafted Microsoft Office documents with embedded macros. The malware supported HTTP and DNS communication with the attackers. And the attackers are continuing to develop new assault techniques.
“The threat actor's ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection. DNS tunneling is a popular method of exfiltration for some actors, and recent examples of DNSpionage show that we must ensure DNS is monitored as closely as an organization's normal proxy or weblogs,” Talos wrote. “DNS is essentially the phonebook of the internet, and when it is tampered with, it becomes difficult for anyone to discern whether what they are seeing online is legitimate.”
The DNSpionage campaign targeted various businesses in the Middle East as well as United Arab Emirates government domains.
“One of the biggest problems with DNS attacks or the lack of protection from them is complacency,” said Craig Williams, threat intelligence outreach manager for Talos. Companies think DNS is stable and that they don’t need to worry about it. “But what we are seeing with attacks like DNSpionage and Sea Turtle are kind of the opposite, because attackers have figured out how to use it to their advantage – how to use it to do damage to credentials in a way, in the case of Sea Turtle, that the victim never even knows it happened. And that’s a real potential problem.”
If you know, for example, your name server has been compromised, then you can force everyone to change their passwords. But if instead they go after the registrar and the registrar points to the bad guy’s name, you never knew it happened because nothing of yours was touched – that’s why these new threats are so nefarious, Williams said.
“Once attackers start using it publicly, successfully, other bad guys are going to look at it and say, ‘hey, why don't I use that to harvest a bunch of credentials from the sites I am interested in’,” Williams said.
DNS security warnings grow
The UK's National Cyber Security Centre (NCSC) issued a warning this month about ongoing DNS attacks, particularly focusing on DNS hijacking. It cited a number of risks associated with the uptick in DNS hijacking including:
Creating malicious DNS records. A malicious DNS record could be used, for example, to create a phishing website that is present within an organization’s familiar domain. This may be used to phish employees or customers.
Obtaining SSL certificates. Domain-validated SSL certificates are issued based on the creation of DNS records; thus an attacker may obtain valid SSL certificates for a domain name, which could be used to create a phishing website intended to look like an authentic website, for example.
Transparent proxying. One serious risk employed recently involves transparently proxying traffic to intercept data. The attacker modifies an organization’s configured domain zone entries (such as “A” or “CNAME” records) to point traffic to their own IP address, which is infrastructure they manage.
“An organization may lose total control of their domain and often the attackers will change the domain ownership details making it harder to recover,” the NCSC wrote.
These new threats, as well as other dangers, led the U.S. government to issue a warning earlier this year about DNS attacks on federal agencies.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) told all federal agencies to bolt down their DNS in the face of a series of global hacking campaigns.
CISA said in its Emergency Directive that it was tracking a series of incidents targeting DNS infrastructure. CISA wrote that it “is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.”
CISA says that attackers have managed to intercept and redirect web and mail traffic and could target other networked services. The agency said the attacks start with compromising user credentials of an account that can make changes to DNS records. Then the attacker alters DNS records, like Address, Mail Exchanger, or Name Server records, replacing the legitimate address of the services with an address the attacker controls.
These actions let the attacker direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection, CISA stated.
“Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings,” CISA stated.
Get on the DNSSEC bandwagon
“Enterprises that are potential targets – in particular those that capture or expose user and enterprise data through their applications – should heed this advisory by the NSCS and should pressure their DNS and registrar vendors to make DNSSEC and other domain security best practices easy to implement and standardized,” said Kris Beevers, co-founder and CEO of DSN security vendor NS1. “They can easily implement DNSSEC signing and other domain security best practices with technologies in the market today. At the very least, they should work with their vendors and security teams to audit their implementations.”
DNSSEC was in the news earlier this year when in response to increased DNS attacks, the Internet Corporation for Assigned Names and Numbers (ICANN) called for an intensified community effort to install stronger DNS security technology.
Specifically, ICANN wants full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. DNSSEC adds a layer of security on top of DNS. Full deployment of DNSSEC ensures end users are connecting to the actual web site or other service corresponding to a particular domain name, ICANN said. “Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup – complementing other technologies such as SSL (https:) that protect the ‘conversation’, and provide a platform for yet-to-be-developed security improvements,” ICANN stated.
DNSSEC technologies have been around since about 2010 but are not widely deployed, with less than 20% of the world’s DNS registrars having deployed it, according to the regional internet address registry for the Asia-Pacific region (APNIC).
DNSSEC adoption has been lagging because it was viewed as optional and can require a tradeoff between security and functionality, said NS1's Beevers.
Traditional DNS threats
While DNS hijacking may be the front line attack method, other more traditional threats still exist.
The IDC/EfficientIP study found most popular DNS threats have changed compared with last year. Phishing (47%) is now more popular than last year’s favorite, DNS-based malware (39%), followed by DDoS attacks (30%), false positive triggering (26%), and lock-up domain attacks (26%).
Experts say DNS cache poisoning, or DNS spoofing, is also still quite common. Using cache poisoning, attackers inject malicious data into DNS resolver’s cache systems in an attempt to redirect users to the attacker’s sites. They then can steal personal information or other intelligence.
DNS tunneling, which uses DNS to present a hidden communication channel that can then bypass a firewall, is another attack threat.
Palo Alto’s Unit 42 security researchers have detailed one of the most well-known DNS tunneling attacks: OilRig.
OilRig delivered Trojans that use DNS tunneling for command and control in attacks used to steal data since at least May 2016. Since then, the threat group has introduced new tools using different tunneling protocols to their tool set, according to Unit 42's blog post about OilRig.
“The OilRig group has repeatedly used DNS tunneling as a channel to communicate between their C2 servers and many of their tools,” Unit 42 stated.
"One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C2 server, which may stand out to those monitoring DNS activity on their networks," Unit 42 researchers noted.
DNS attack mitigation
There are a number of things enterprises can do to keep most of these attacks at bay, experts say.
The biggest thing users can do is implement two-factor authentication, Talos’ Williams said. "It’s easy to implement and everyone understands what it is and no one is surprised by it anymore. Companies should also patch any sites that are public facing – we are well beyond the ‘well, let’s hope they just don’t find us' world – it doesn’t work."
There are scores of other suggested DNS security best practices. We've compiled some here, beginning with those from Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
CISA DNS best security practices include these tips:
- Update DNS account passwords. This will disrupt access to accounts an unauthorized actor might currently have.
- Verify DNS records to ensure they’re resolving as intended and not redirected elsewhere. This will help spot any active DNS hijacks.
- Audit public DNS records to verify they are resolving to the intended location.
- Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
- Monitor certificate transparency logs for certificates issued that the agency did not request. This will help defenders notice if someone is attempting to impersonate them or spy on their users
DSN security vendor NS1 suggests these steps to take with your registry/registrar:
- Ensure 2-factor authentication is enabled in all registrar or registry accounts, and the passwords are not easily guessed, are stored securely, and not re-used across services.
- Attackers may attempt to use account recovery processes to gain access to domain management, so ensure that contact details are accurate and up-to-date. This is particularly relevant for DNS, as it's common for domains to be registered before corporate email accounts are available.
- Many registrars and registries offer 'lock' services to require additional security enhancing steps before changes can be made. Understand any 'lock' services available to you, and consider applying them, particularly to high-value domains.
- Ensure any available logging is enabled so that you can review changes which have been made.
Steps to take with DNS hosting:
- Ensure 2-factor authentication is enabled in all DNS hosting accounts, and the passwords are not easily guessed, and not re-used across services.
- Ensure you have backups of your critical DNS zones to allow you to recover in the event of a breach.
- Consider use of configuration-as-code approaches to manage changes to your DNS zones.
- Ensure any available logging is enabled so that you can review changes which have been made.
- Implementing real-time behavioral threat detection over DNS traffic allows qualified security events rather than logs to be sent to SIEMs.
- Using real-time DNS analytics helps detect and thwart advanced attacks such as DGA malware and zero-day malicious domains.
- Integrating DNS with IP Address Management (IPAM) in network security orchestration processes helps automate management of security policies, keeping them current, consistent and auditable.
ICANN’s DNS security checklist looks like this:
- Ensure all system security patches have been reviewed and have been applied;
- Review log files for unauthorized access to systems, especially administrator access;
- Review internal controls over administrator (“root”) access;
- Verify integrity of every DNS record, and the change history of those records;
- Enforce sufficient password complexity, especially length of password;
- Ensure that passwords are not shared with other users;
- Ensure that passwords are never stored or transmitted in clear text;
- Enforce regular and periodic password changes;
- Enforce a password lockout policy;
- Ensure that DNS zone records are DNSSEC signed and your DNS resolvers are performing DNSSEC validation;
- Ideally ensure your email domain has a Domain-based Message Authentication policy with SPF and/or DKIM and that you enforce such policies provided by other domains on your email system.