Prevention Tactics for Recent DNS Infrastructure Attacks

There are protective measures to evade potential DNS infrastructure attackers.

Articles published February 19, 2019

Recently, there have been multiple active attacks on Domain Name System (DNS) infrastructure that target government and critical infrastructure organizations. This threat to DNS infrastructure applies not only to government agencies and telecommunications companies but also organizations across multiple industries and anyone with DNS infrastructure.

This DNS hijacking campaign has had a high degree of success in obtaining victims’ usernames, passwords and domain credentials. The good news is there are protective measures to evade potential attackers. FireEye has worked with victims, security organizations and law enforcement agencies to investigate how these attacks occurred, the attackers’ intent, the impact of the incidents and tactics to prevent future breaches.

1. Audit and verify DNS records to ensure they’re resolving as intended and not directed elsewhere. This helps spot any active DNS hijacks. FireEye found that attackers were using a DNS Redirector, or operations box, that responds to DNS requests. By using compromised credentials, the user can be redirected to the now attacker-controlled infrastructure. Once redirected, the attacker can obtain valid encryption certificates from the organization’s domain names.
2. Update DNS account passwords. This will disrupt unauthorized access to accounts that someone might currently have.
3. Add multi-factor authentication to domain administration portals for the accounts that manage DNS records. This security will help prevent future attacks while disrupting access to those who pose a risk. To access the DNS resolution chain, the attackers used “man in the middle” techniques.
4. Monitor and validate source IPs and Certificate Transparency logs for certificates issued that the agency did not request. Searching for and rejecting malicious SSL certificates related to your domain will help defenders flag people trying to impersonate or spy on their users.
5. Perform internal investigations to ensure attackers do not gain access to your environment. It can be challenging to know when attacks occur unless the perpetrator changes credentials or does something damaging to your organization. The best approach is to review access logs and set up Security Information and Event Management (SIEM) alerts to look for compromised access.

Aureon is aware of these DNS infrastructure breaches and recommends the tactics outlined to help prevent such attacks from occurring. These events will have the most significant impact on large businesses, government agencies and telecommunications companies. It’s imperative to be educated about these incidents to prepare for future attacks. Aureon’s advanced infrastructure security and managed IT services monitors activity, identifies potential malware and implements processes to address the problem before it occurs. Is your organization adequately safeguarded from possible attacks?