CyberWisdom Safe Harbor Commentary on DNS hijacking:
Today I came across this story from darkreading.com that visualizes a hidden DNS hijacking: silent threat that puts your network in jeopardy. This technique is easy to implement and can cause great damage.
Recently discovered MaMi malware modifies the DNS configuration of infected devices. This is a good reminder that DNS hijacking is a constant threat that enterprise IT organizations need to take seriously. DNS hijacking is easy to achieve, can be hard to find, and surprisingly causes damage. This is what you should know and what you can do to fight it.
DNS hijacking Explained
DNS hijacking is simple: you only have to rewrite the configuration of the devices on the Internet to send DNS queries to malicious DNS servers. Many malwares do this and are often just one of the many consequences of infecting devices. Almost all malware can do this – modifying DNS settings usually does not require any special permissions. Perhaps the most famous malware in this category is DNSChanger, which may have infected more than 4 million computers. Although DNSChanger was banned in 2011, there are still hundreds of thousands of infected computers on the Internet.
So why change the device’s DNS configuration? In the case of DNSChanger, ads on websites are mostly used to replace advertisements sold by bad guys running rogue DNS servers. This may sound less shocking, but DNS hijackings may also have more serious implications. For example, David Dagon and his company discovered and wrote down malicious DNS servers in their 2008 research report, “Malicious DNS Resolution Path: The Rise of the Authority for Malicious Solutions,” for example. Dagon found on the Internet a small part of the recursive DNS server open, no matter which domain you look for, always in response. For example, some addresses will always reply to the same set of IP addresses, none of which is the correct address.
What is the purpose of this DNS service?
Well, it turns out that the hosts running these IP addresses (in our case, A, B and C) are running open web proxies. As a result, users of devices that query DNS servers will unknowingly access the Web through open Web proxies that can snoop on their traffic. And DNS servers can easily direct users to sites that look the same as their banks or brokers, where they unknowingly enter their credentials and capture them for later use by bad guys.
Fortunately, there is a simple way to mitigate the threat of these DNS hijacking attacks: Do not let any internal IP address on your corporate network send DNS queries to any IP address on the Internet.
In most DNS architectures, only a fraction of the DNS servers (called Internet transponders) actually need to be able to query DNS servers on the Internet. You should specifically allow only its IP address to exchange DNS messages with the IP address on the Internet. If some of your internal devices are infected with malware that modifies their DNS configuration, they will only stop resolving the domain name, which alerts the user to the fact that they are not paying attention. Hopefully this will lure them to bring the device to IT, and if they are lucky, the infection will be discovered.
The technique is easy to carry out and can cause much damage. Here’s what you need to know about fighting back…. Engaging post, Read More…
thumbnail courtesy of darkreading.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »