A number of domain name organisations including ICANN, Verisign and SIDN have warned of domain hijacking threats. SIDN, the .nl ccTLD registry, has advised they “have been working with NCSC-NL to investigate if .nl domain names were compromised in a recently unveiled global campaign to hijack domain names, allegedly for state-related purposes. While no .nl domain names appear to have been compromised, we will be further extending our DNS monitoring facilities to more proactively detect signs of such campaigns in the .nl zone in the future and we reiterate the importance of following best practices for secure domain name registration.”
The domain hijack threat, as SIDN advise, is “’the act of changing the registration of a domain name without the permission of its original registrant’ and involves an unauthorised person changing a domain name’s records in the Domain Name System (DNS) so that it maps to a different IP address than that set by the registrant. For example, a miscreant might change the www mapping for the domain example.nl in the DNS so that visitors who log on to www.example.nl unknowingly send their traffic through an intermediate server that the miscreant uses to record their user names and passwords. Similarly, the miscreant could also change example.nl’s mail settings in the DNS so that the intermediate server receives and stores e-mails sent to firstname.lastname@example.org.”
“Domain hijacks may thus have severe effects in terms of security and privacy compromises as well as reputational and financial damage, both for users and for registrants.
“One way for a miscreant to hijack a domain name is to compromise the account through which registrants manage their domain name settings through their registrar, for instance by using user names and passwords obtained from other compromised sites. Similarly, they may also use more advanced techniques, such as spear phishing the staff of a registry to obtain the credentials of more high-value domain names.
“Once the miscreant manages to compromise the account, they use the administrative panel that the registrar provides to change example.nl’s records in the DNS. For example, they could change the domain’s name servers, which results in users visiting www.example.nl being redirected to a malicious site through name servers under the miscreant’s control.”
Verisign have released a similar warning that notes “over the past several weeks, security professionals have issued reports about the hijacking of various domains via their name server delegations. These changes were likely made using compromised registrar credentials and are believed to be backed by a foreign nation state entity. During the attacks, the threat actors used the traffic directed to their infrastructure to launch spear phishing campaigns against various government entities in northern Africa and the Middle East. These targeted spear phishing attempts were facilitated by the transitive trust placed on the compromised domains and their delegated name servers.”
“Several of the compromised domains contained hosts that were specified as name servers for numerous top-level domains (TLDs) including country code TLDs5 in the northern African and Middle East regions. Subsequently, DNS traffic resolution for corresponding reliant zones were partially/completely routed to the threat actors’ infrastructure. This redirection of DNS traffic facilitated their ability to target specific government and industry entities in the targeted countries. While the domains did not employ a domain locking tool, some were DNSSEC6 signed, which helped mitigate the attack for resolving parties that perform validation.”
Last week ICANN advised they were “aware of several recent public reports regarding malicious activity targeting the Domain Name System (DNS). We have no indication that any ICANN organization systems have been compromised, and we are working with relevant community members to investigate reports of attacks against top-level domains (TLDs).”
In their announcement, ICANN said they believe “it is essential that members of the domain name industry, registries, registrars, resellers, and related others, take immediate proactive and precautionary measures, including implementing security best practices, to protect their systems, their customers’ systems and information reachable via the DNS.”
ICANN also note they “trust that [the] DNS industry actors are already taking strong security precautions in your business.” To help they have compiled the following checklist to consider:
- Ensure all system security patches have been reviewed and have been applied;
- Review log files for unauthorized access to systems, especially administrator access;
- Review internal controls over administrator (“root”) access;
- Verify integrity of every DNS record, and the change history of those records;
- Enforce sufficient password complexity, especially length of password;
- Ensure that passwords are not shared with other users;
- Ensure that passwords are never stored or transmitted in clear text;
- Enforce regular and periodic password changes;
- Enforce a password lockout policy;
- Ensure that DNS zone records are DNSSEC signed and your DNS resolvers are performing DNSSEC validation;
- Ideally ensure multi-factor authentication is enabled to all systems, especially for administrator access; and
- Ideally ensure your email domain has a DMARC policy with SPF and/or DKIM and that you enforce such policies provided by other domains on your email system.