Man-in-the-middle attacks are on the rise. Monitor DNS

With a sudden increase in DNS hijacking and man-in-the-middle attacks, the United States Computer Emergency Readiness Team (US-CERT) issued the following warning on their Alerts and tips page:

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global campaign to hijack Domain Name System (DNS) infrastructure. By using compromised credentials, an attacker can change the location to which an organization’s domain name resources resolve. This allows the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain name, enabling man-in-the-middle attacks.

NCCIC encourages administrators to review FireEye and Cisco Talos Intelligence blog about global DNS infrastructure hijacking for more information. In addition, NCCIC recommends the following best practices to protect networks from this threat:

• Implement multi-factor authentication on domain registrar accounts, or on other systems used to modify DNS records.
• Verify that DNS infrastructure (second-level domains, subdomains, and related resource records) points to correct Internet Protocol addresses or hostnames.
• Search for encryption certificates related to domains and revoke any fake certificates.

How do the DNS/SSL attacks work?

For our tech-savvy readers, we strongly recommend that you read the suggested articles in the US-CERT alert for detailed examples of how the hijacking takes place, for the rest of you, we’ve put together a summary of how the multi-faceted attacks work.

Technique 1: Modified DNS A record

The A record in your DNS records contains the version 4 IP address of your server. Using phishing attacks and other means, an attacker gains access to the admin panel of the DNS provider and changes the IP address to point to a proxy server. The proxy server redirects the user activity to the destination site using a certificate from Let’s Encrypt to establish the connection. The attacker collects usernames, passwords and domain credentials when users access the website.

Technique 2: Modified NS mail

Your NS record contains the authoritative name server information for the domain. This technique works like technique 1, but it uses a previously compromised registrar or ccTLD (Country Code Top-Level Domain). The attacker modifies the NS record to point to a compromised name server which then feeds the request through a proxy server that allows the attacker to collect login credentials.

Technique 3: DNS redirection

Using one of the two methods above, this technique redirects the request to the attacker-controlled infrastructure.

Who needs to worry about DNS attacks?

Any business can fall victim to an attack as described above. FireEye says telecoms, ISP providers, internet infrastructure providers, government and sensitive commercial entities make up the majority of the attacked targets, which includes most websites and possibly yours.

The techniques use targeted spear phishing attacks where an unsuspecting user opens a Word document containing malicious macros. The document uses several different methods to avoid detection by software that detects viruses and malware, making them very difficult to identify in the interface.

Protects your business from a DNS or SSL attack

As US-CERT recommends above, you must:

• Use multi-factor authentication on registrar accounts.
• Check your DNS records for the correct information.
• Search for any unauthorized SSL certificates and have them revoked.

We want to add a new bullet:

• Automate your DNS and SSL checks for 24/7 protection.

Remote monitoring with Uptrends

Problems with DNS and SSL certificates can affect your entire user base or just isolated areas. By leveraging Uptrends’ global network of over 200 checkpointsyou check your DNS records on DNS servers around the world. Instead of the random timing of manual testing, your checks happen once a minute 24/7. Performers advanced notification notifies you the moment the monitor detects errors or discrepancies in your records.

Monitors DNS

It only takes moments to set up DNS monitoring. With DNS monitoring you can verify:

• A (IPv4 address)
• AAAA (IPv6 address)
• NS (Authoritative Name Server)
• CNAME (aliases)
• MX (mail server mapping)
• SOA (Start of Authority)
• SRV (server)
• TXT (text)
• Root server

You can set up a DNS monitor to check for changes with any of the records above. We recommend that you look at your A and AAAA records. You can too monitor your SOA record for changes. Your SOA record has a serial number. The Domain Name System increments the serial number when someone makes changes to your DNS records. By seeing this number, you will immediately know if someone changes your record.

Monitors your SSL certificate

In addition to sending you reminders about impending expiration dates and monitoring for certificate errors, you can monitor several fields on your SSL certificates:

• Common name
• Organization
• Organizational unit
• Serial number
• Fingerprint
• Issued under common name
• Issued by organization
• Issued by organizational unit

Certificates used by the hacker will not trigger an error, but because the certificate used by the hacker will not have the same values ​​as your certificate, the SSL monitor will trigger an alert.

Takeaways

1. Instances of DNS and certificate hijacking continue to increase.
2. Protecting your users and your brand from DNS attacks requires vigilance.
3. Manually testing the DNS and SSL certificates will not catch localized issues your users may be experiencing.
4. Proactively monitoring your DNS records and SSL certificate configuration with Uptrends can alert you to an attack earlier than manual testing or waiting for user complaints.