{"id":15537,"date":"2019-03-29T11:23:59","date_gmt":"2019-03-29T15:23:59","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/grand-theft-dns-rsa2019\/15537\/"},"modified":"2020-04-02T16:07:44","modified_gmt":"2020-04-02T10:37:44","slug":"grand-theft-dns-rsa2019","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/grand-theft-dns-rsa2019\/15537\/","title":{"rendered":"RSAC 2019: Grand Theft DNS"},"content":{"rendered":"

At RSA Conference 2019, the SANS Institute reported on several new types of attack that they consider to be highly dangerous. This post looks at one of them.<\/p>\n

An attack highlighted by SANS instructor Ed Skoudis can potentially be used to take full control of a company\u2019s IT infrastructure\u00a0\u2014 and no complex tools are required, just relatively simple DNS manipulations.<\/p>\n

Manipulating enterprise DNS infrastructure<\/h2>\n

Here\u2019s how the attack works:<\/p>\n

    \n
  1. Cybercriminals harvest (by whatever means) username\/password pairs for compromised accounts, of which there are currently hundreds of millions, if not billions<\/a> in known databases alone.<\/li>\n
  2. They use these credentials to log into the services of DNS providers and domain registrars.<\/li>\n
  3. Next, the intruders modify the DNS records, substituting the corporate domain infrastructure with their own.<\/li>\n
  4. In particular, they modify the MX record<\/a> and intercept messages by redirecting all corporate mail to their own mail server.<\/li>\n
  5. The cybercriminals register TLS certificates for the stolen domains. At this stage, they are already in a position to intercept corporate mail and can provide proof of domain ownership, which in most cases is all that\u2019s required to have a certificate issued.<\/li>\n<\/ol>\n

    After that, the attackers can redirect traffic bound for the target corporation\u2019s servers to their own machines. As a result, visitors to the company website are taken to fake resources that look authentic to all filters and protection systems. We encountered this scenario for the first time back in 2016, when researchers at our Brazilian branch of GReAT uncovered an attack allowing intruders to hijack the infrastructure of a large bank<\/a>.<\/p>\n

    What is especially dangerous about this attack is that the victim organization loses contact with the outside world. Mail is hijacked, and typically phones as well (the vast majority of companies use IP telephony). This greatly complicates both internal response to the incident and communication with external organizations \u2014 DNS providers, certification authorities, law enforcement agencies, and so on. And imagine if it all happens on a weekend, as in the case of the Brazilian bank!<\/p>\n

    How to prevent hijacking of IT infrastructure through DNS manipulation<\/h3>\n

    What in 2016 was an innovation in the world of cybercrime became common practice a couple of years later; by 2018, IT security gurus at many leading companies were logging its use. So it is no airy-fairy threat, but a very specific attack that could be used to seize your IT infrastructure.<\/p>\n

    Here\u2019s what Ed Skoudis thinks should be done to safeguard against attempts to manipulate the infrastructure of domain names:<\/p>\n