April 18, 2019 at
When a normal user is infected with malware that changes their DNS settings, it can be a problem. A DNSChanger hack can lead to users being sent to a different IP to the one they would normally get when entering a particular domain name. This has been going on since the internet was a thing, such as the recent Dlink router hacks that lasted three months before anyone knew what was going on.
Going too far this time
Cisco’s Talos security division has been tracking attacks on companies that run DNS services. Among these ISPs and web hosts, a company called Netnod has been breached. The Swedish based company is one of the Top 13 DNS operators in the world and is a major player on the internet as a whole, so any changes made to their DNS records has the potential to affect millions upon millions of people. Those people would have absolutely no protection from this type of attack.
The user would type in a domain name at home, the browser would query the DNS server for the IP of the domain and it would then be redirected. On a local level, changing where a user looks for IP addresses on their router is one thing. This is completely another. There is no real way to protect yourself from this type of attack.
Why is this such a scary thought to everyone in the cybersecurity industry? It’s rather simple actually. This is a breach not only of a company but of one of the foundational technologies that power the internet. This could tank trust in the system. It’s one thing to be responsible for your own hardware and to be hacked. That affects no one but yourself an maybe a few friends who were not wise enough to ignore the weirdly worded message you sent in Messenger. This is an order of magnitude more serious because anyone, through no fault of their own, would be at risk. It would mean even people who take rather more care than usual to stay safe on the internet could be tricked. The panic coming from this could be extremely severe.
This type of attack and the amount of access the hackers had to the DNS servers is frightening, according to a report by Cisco Talo. In fact, they said in the same report that any responsible government would shy away from attack a foundational technology that supports the Internet.
There is “good” news, though it is bittersweet
The report showed a worrying level of breached organizations. Forty different organizations covering 13 different countries have been compromised and the attacks are continuing. This takes a highly skilled group and according to Cisco Talo, it is most likely a government-backed hacking group.
One silver lining to the massive cloud that hangs over the internet as a whole is that the hacking group has not targetted the mass market. They seem to be focusing all of their attacks on staff members of intelligence and military agencies around the Middle East and North Africa.
The worry, however, is that they might go on to tamper too much with the DNS system. Since the majority of security software, particularly home software, is not designed to protect against an attack of this nature, it means that many more people will be at a greater risk than ever before. Due to the fears, Cisco Talo has urged governments to act immediately and begin establishing standards to protect DNS records.
The methods used to breach the companies that control the so-called “phone book of the internet” are the usual phishing scams and small vulnerabilities that plague popular, frequently used programs. They are then able to gain login credentials of the employees and this gives them access to DNS records. The DNS records were hijacked for a certain amount of time. This would depend on who was targetted and the scale of targetting — a few minutes to a few days for a given record.
The sites that the unsuspecting users were pointed to even had properly signed software certificates to show the SSL padlock in the browser. The spoofing was done immaculately. While Cisco Talo has declined to name the government they think is behind these attacks, other cybersecurity insiders have not been so tactful. Many in the cybersecurity field are sure that the group behind these attacks is financed by Iran, which has been in the news more and more lately.