DNS hijacking comes in many forms: DNS hijacking comes in many forms. In 2019, CSO inteviewed Paul Vixie, a DNS system contributor, about the need to strengthen security. We later wrote about the problem of abandoned domain names. And things haven’t changed a lot since then. Most CISOs may be familiar with typosquatting, where “firm.com” has to compete with “firm.co.” Threat actors also try to steal DNS admin credentials to take over accounts.Domain hijacking is relatively easy to do, commented Robert Beggs of Canadian incident response provider DigitalDefence. “These attacks are rarely noticed by the domain owner until it is too late,” he said in an email to CSO.They succeed due to the shared responsibility of domain name management,” he wrote. “Domain name holders (the business), domain registrars, DNS providers, and web hosting companies must ensure that domain names are accurate. In the case of Hazy Hawks, it appears that an automated attack exploited weak or improperly configured CNAME records to permit domain hijacking. Surprisingly, in spite of the breadth of the attack, no one appeared to have noticed that it was happening, indicating that traditional detection systems are not keeping pace with emerging attacks.”Preventing this type of attack requires the domain users to properly authorize and manage their domains, Beggs said. Domain names are a large attack surface distributed across multiple entities with varying degrees of responsibility. “This is an attack that has been known since at least 2016, highlighting the need for domain owners to have a stronger control on domains that they are responsible for. Presently, domains are generally managed as being either live or expired, and this level of basic control is poorly implemented. New tools are required to have stronger authentication, support long-term management, and provide alerts for changes to domain records,” Beggs said.
Problem ‘getting bigger’: The problem of dangling CNAME records “is getting bigger and bigger,” Infoblox report co-author Renée Burton, the company’s vice-president of threat intelligence, told CSO.”This is really hard for security vendors” to fix, she added, “because everything along the [DNS] chain is legitimate” once the dangling CNAME record has been captured by a threat actor.The security market and cloud providers will eventually offer solutions for this problem, she predicted, adding that Azure has already put in some protections against this kind of hijacking.But, ultimately, CISOs have to have processes for DNS hygiene, Burton said. “In the end, it comes down to the enterprise straightening out their records and services.”In its report, Infoblox warns admins that DNS hijacking is common after mergers and acquisitions, when IT and DNS admins may not know all the assets they have.The researchers also say domain owners can protect themselves against DNS hijacking by making sure their DNS records are well managed which can be difficult, it admits, in multi-national organizations where management of projects, domain registration and DNS records may be in separate organizations.”We recommend the establishment of processes that trigger a notification to remove a DNS CNAME record whenever a resource is shut down, as well as tracking active resources,” the report says.As for making sure employees aren’t suckered, Infoblox says staff should be urged to deny push notification requests from websites they don’t know. Unwanted notifications can be turned off in browser settings, the report adds.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3991070/poor-dns-hygiene-is-leading-to-domain-hijacking-report.html
