RSAC 2019: Grand Theft DNS

At RSAC 2019, a SANS Institute instructor talked about how DNS manipulations can be used to hijack a company’s IT infrastructure.

At RSA Conference 2019, the SANS Institute reported on several new types of attack that they consider to be highly dangerous. This post looks at one of them.

An attack highlighted by SANS instructor Ed Skoudis can potentially be used to take full control of a company’s IT infrastructure — and no complex tools are required, just relatively simple DNS manipulations.

Manipulating enterprise DNS infrastructure

Here’s how the attack works:

  1. Cybercriminals harvest (by whatever means) username/password pairs for compromised accounts, of which there are currently hundreds of millions, if not billions in known databases alone.
  2. They use these credentials to log into the services of DNS providers and domain registrars.
  3. Next, the intruders modify the DNS records, substituting the corporate domain infrastructure with their own.
  4. In particular, they modify the MX record and intercept messages by redirecting all corporate mail to their own mail server.
  5. The cybercriminals register TLS certificates for the stolen domains. At this stage, they are already in a position to intercept corporate mail and can provide proof of domain ownership, which in most cases is all that’s required to have a certificate issued.

After that, the attackers can redirect traffic bound for the target corporation’s servers to their own machines. As a result, visitors to the company website are taken to fake resources that look authentic to all filters and protection systems. We encountered this scenario for the first time back in 2016, when researchers at our Brazilian branch of GReAT uncovered an attack allowing intruders to hijack the infrastructure of a large bank.

What is especially dangerous about this attack is that the victim organization loses contact with the outside world. Mail is hijacked, and typically phones as well (the vast majority of companies use IP telephony). This greatly complicates both internal response to the incident and communication with external organizations — DNS providers, certification authorities, law enforcement agencies, and so on. And imagine if it all happens on a weekend, as in the case of the Brazilian bank!

How to prevent hijacking of IT infrastructure through DNS manipulation

What in 2016 was an innovation in the world of cybercrime became common practice a couple of years later; by 2018, IT security gurus at many leading companies were logging its use. So it is no airy-fairy threat, but a very specific attack that could be used to seize your IT infrastructure.

Here’s what Ed Skoudis thinks should be done to safeguard against attempts to manipulate the infrastructure of domain names:

  • Use multifactor authentication in IT infrastructure management tools.
  • Use DNSSEC, making sure to apply not only DNS signing, but also validation.
  • Keep track of all DNS changes that might affect your company’s domain names; one option is to use SecurityTrails, which allows up to 50 requests per month free.
  • Keep track of residual certificates duplicating your domains and send requests to revoke them immediately. For details of how to do this, see the post: MitM and DoS attacks on domains through the use of residual certificates.

From our side we can add only one piece of advice — keep your passwords secure. They should be unique and complex enough at least to withstand a dictionary attack. For generating passwords and storing them securely, you can use Kaspersky Password Manager, which is a part of our Kaspersky Small Office Security solution.