Anatomy of a DNS Hijacking: The Fascinating Case of the Sea Turtle Campaign
DNS is just the boring plumbing of the Internet that translates to domain names to IP addresses, right?
Wrong. It’s a major foundational element of the chain of trust in today’s ostensibly secure Internet. And despite how critical it is to security, DNS was designed before cybersecurity was a thing. Security is an afterthought in DNS.
And the bad guys are using this to their advantage. Especially a group dubbed Sea Turtle (don’t ask me, I think Talos had the naming honors on this one – I’ve always viewed Sea Turtles as cute and harmless). In this installment of my Anatomy of a Hack series, I’ll show you how DNS hijacking works and why Sea Turtle has been so successful.
This is a story of
- Hacked 1st parties – the ultimate intended targets
- Hacked 3rd parties – including domain registrars and telecoms and other service providers to the primary targets
- Certificate impersonation
- Stolen certificates
- Man-in-the-middle and VPN servers
But primarily it’s about DNS hijacking. If you can you tamper with the IP address returned for a victim’s domain name you are well along you way to pwning the victim. Turns out, there are many ways to accomplish that – multiple levels at which to attack a target’s DNS records
- 1. The target organization’s account at their registrar – when you login to your domain name registrar what kind of authentication is required? If you use a weak password and there’s no dual-factor this is the easiest way for an attacker to hijack your DNS
- 2. The registrar’s network – how secure is the registrar?
- 3. The DNS server. Most of us use a DNS hosting service. Same points as in #1 and #2
- 4. Registries – not to be confused with registrars
Of course, we’ll talk about defensive measures including
- Careful selection of domain and DNS service providers
- Registrar locks
- 2-factor authentication
- Using passive DNS to detect abuse of your domains
- Monitoring IP address changes returned for your DNS records
- DNS over HTTPS and how it affects the Enterprise
I’ll get some help from Security Engineer, Chad Anderson of DomainTools who is an expert in leveraging DNS data in the cause of cyber security. Chad will also briefly show you their awesome technology that helps you detect attackers targeting you before they even get started.