H-ISAC TIC Threat Bulletin

Date: January 24, 2019

TLP – WHITE

Event: Weaknesses in Managed DNS Providers Processes Allow for Domain Hijacking

Summary: Earlier this month, the US-CERT issued a bulletin with information on a large DNS infrastructure hijacking campaign. Ars Technica has also recently published an article that includes more detail on a weakness attackers targeted in order to hijack domains, and a link to a list of vulnerable domains. The TIC has chosen to issue this bulletin, as there is a potential for H-ISAC member domains to be affected.

Relevance: It is likely that H-ISAC members own domains that may be affected.

Potential Actions:

· Implement multi-factor authentication on domain registrar accounts, or on other systems used to modify DNS records.1

· Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.1

· Search for encryption certificates related to domains and revoke any fraudulently requested certificates.1

· Considering checking the following linked list to determine whether any URLs owned by your organization are included, and take action as appropriate: hxxps://pastebin[.]com/raw/wgCWLz8K

· Validate A, NS, MX record changes.3

· Validate the source IPs in OWA/Exchange logs.3

References:

1. hxxps://www.us-cert[.]gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign

2. hxxps://arstechnica[.]com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/

3. hxxps://www.fireeye[.]com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

4. hxxps://blog.talosintelligence[.]com/2018/11/dnspionage-campaign-targets-middle-east.html