RSAC 2019: Grand Theft DNS

[harlan4096]

At RSA Conference 2019, the SANS Institute reported on several new types of attack that they consider to be highly dangerous. This post looks at one of them.

An attack highlighted by SANS instructor Ed Skoudis can potentially be used to take full control of a company’s IT infrastructure — and no complex tools are required, just relatively simple DNS manipulations.

Manipulating enterprise DNS infrastructure

Here’s how the attack works:

1. Cybercriminals harvest (by whatever means) username/password pairs for compromised accounts, of which there are currently hundreds of millions, if not billions in known databases alone.

2. They use these credentials to log into the services of DNS providers and domain registrars.

3. Next, the intruders modify the DNS records, substituting the corporate domain infrastructure with their own.

4. In particular, they modify the MX record and intercept messages by redirecting all corporate mail to their own mail server.

5. The cybercriminals register TLS certificates for the stolen domains. At this stage, they are already in a position to intercept corporate mail and can provide proof of domain ownership, which in most cases is all that’s required to have a certificate issued.

After that, the attackers can redirect traffic bound for the target corporation’s servers to their own machines. As a result, visitors to the company website are taken to fake resources that look authentic to all filters and protection systems. We encountered this scenario for the first time back in 2016, when researchers at our Brazilian branch of GReAT uncovered an attack allowing intruders to hijack the infrastructure of a large bank.

Continue Reading