The Q1 2015 State of the Internet - Security Report is due out next month, and we think the week of RSA Conference 2015 is a good time to start previewing sections.
Yesterday we reviewed the potential security risks of widespread IPv6 adoption. Today, we look at the continuing trend of website defacements and DNS Hijacking.
In Q1 2015, Akamai tracked and offered defensive measures for mass website defacements and DNS hijacking.
Akamai saw multiple media reports where a group claimed to hack hundreds or thousands of sites in a single night. The intent was to instill a sense of widespread unease to the casual observer.
When we looked a little closer, we saw that there was more to it. One can rightly assume that many of these have been done through a type of automation. But when we looked more closely, we saw something else interesting about the attacks.
Looking at the IP address for the hundreds of web sites affected, we noticed that many and sometimes all of them had the same IP address. This led us to believe the sites are running on the same server.
Early in the quarter, Akamai CSIRT observed attacks that can bypass even the best security protections and give attackers the keys to the victim's kingdom. That attack is called DNS Hijacking. This happens when attackers gain access to a domain registrar account and change the DNS resource records to point to server(s) under the attacker's control.
With the new password and administrative access, the attacker will log in to the registrar and make changes to NS records which provide resource records for web servers and mail servers. When under the control of attackers, all requests to websites and email can be under the control of the attack which includes all email and web traffic for a given domain.
When the NS records are under the attacker's control web and email traffic can be redirected to any IP address controlled by the attackers. Often the NS records have a long TTL (24-48 hours) so that the effects of a compromised registrar attack can have effects up to the TTL of the NS records.
We have seen instances where the attackers modified the entire zone file, including MX (mail exchange) records, providing the attackers access to any mail sent to the target of the attack. In addition to information leakage via email, the attackers can also use this access to trigger password resets on other services and compromise them as well. With the ability to intercept password reset attempts the attackers will attempt to maintain control over all administrative accounts for a given domain name.
To read the full story, pre-register for your copy of the Q1 2015 State of the Internet - Security Report.