Threat actors continue to find ways of hijacking domains thanks to poor DNS record-keeping and misconfigurations by administrators, a hole that CSOs have to plug or risk financial or reputational damage to their organizations.
The latest example of the risk came in a report today from Infoblox on a threat actor it calls Hazy Hawk, which it says took over the subdomains of the US Centers for Disease Control and Prevention (CDC) in February and used them to host dozens of URLs that pointed to porn videos. This person or gang has been finding gaps in DNS records since at least December 2023, victimizing large universities and international firms.
“Hazy Hawk finds gaps in DNS records that are quite challenging to identify,” says the report, “and we believe they must have access to commercial passive DNS services to do so.”
The hijacked domains are used to host large numbers of URLs that send users to sites hosting scams and malware by way of different traffic distribution systems (TDSs), the report says.
The integration of malicious push notifications to fool end users in the attack chain acts as a force multiplier, it adds. These notifications try to convince employees to click on a link to update their anti-virus, turn on their firewall, or contact Microsoft support. The links, of course, download malware or lead to sites demanding payment for support.
“Perhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or ‘highbrow’ cybercrime,” the report says. “Instead, they feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications, and using browser notifications to trigger processes that will have a lingering impact. Hazy Hawk is indicative of the lengths scam artists will go to get a portion of the multi-billion-dollar fraud market.”
Abandoned site
In the case of the CDC, Infoblox believes the centre had abandoned an Azure-hosted website or content bucket it was using, but didn’t tell the DNS management admin. That allowed the threat actor to find what experts call the site’s “dangling” DNS record.
The problem involves the complex way DNS records point to an IP address. What’s called an A record maps a website name to one or more IP addresses. What’s called a CNAME record maps a name to another name. It’s used when, for example, an organization that starts using “firm.com” needs to also have “firmus.com,” or if “firm.com” buys another company and wants users who type the acquired company’s name into their browser address bar to automatically go to “firm.com.” But if the CNAME record of that subdomain is dropped by the website team without notifying the DNS team, and a threat actor finds it, they register and can grab it.
But, notes Infoblox, finding a dangling CNAME record needs skill, which apparently Hazy Hawk has.
“Hazy Hawk and other cloud resource hijacking actors are likely doing significant manual work to validate vulnerable domains due to the various ways each cloud provider handles dropped resources,” says the report.
In addition, Hazy Hawk obfuscates the URLs it takes over to hide which cloud resource was hacked, and often redirects victims to a second domain it controls for hosting malicious content.
DNS hijacking comes in many forms
DNS hijacking comes in many forms. In 2019, CSO inteviewed Paul Vixie, a DNS system contributor, about the need to strengthen security. We later wrote about the problem of abandoned domain names. And things haven’t changed a lot since then. Most CISOs may be familiar with typosquatting, where “firm.com” has to compete with “firm.co.” Threat actors also try to steal DNS admin credentials to take over accounts.
Domain hijacking is relatively easy to do, commented Robert Beggs of Canadian incident response provider DigitalDefence. “These attacks are rarely noticed by the domain owner until it is too late,” he said in an email to CSO.
They succeed due to the shared responsibility of domain name management,” he wrote. “Domain name holders (the business), domain registrars, DNS providers, and web hosting companies must ensure that domain names are accurate. In the case of Hazy Hawks, it appears that an automated attack exploited weak or improperly configured CNAME records to permit domain hijacking. Surprisingly, in spite of the breadth of the attack, no one appeared to have noticed that it was happening, indicating that traditional detection systems are not keeping pace with emerging attacks.”
Preventing this type of attack requires the domain users to properly authorize and manage their domains, Beggs said. Domain names are a large attack surface distributed across multiple entities with varying degrees of responsibility.
“This is an attack that has been known since at least 2016, highlighting the need for domain owners to have a stronger control on domains that they are responsible for. Presently, domains are generally managed as being either live or expired, and this level of basic control is poorly implemented. New tools are required to have stronger authentication, support long-term management, and provide alerts for changes to domain records,” Beggs said.
Problem ‘getting bigger’
The problem of dangling CNAME records “is getting bigger and bigger,” Infoblox report co-author Renée Burton, the company’s vice-president of threat intelligence, told CSO.
“This is really hard for security vendors” to fix, she added, ”because everything along the [DNS] chain is legitimate” once the dangling CNAME record has been captured by a threat actor.
The security market and cloud providers will eventually offer solutions for this problem, she predicted, adding that Azure has already put in some protections against this kind of hijacking.
But, ultimately, CISOs have to have processes for DNS hygiene, Burton said. “In the end, it comes down to the enterprise straightening out their records and services.”
In its report, Infoblox warns admins that DNS hijacking is common after mergers and acquisitions, when IT and DNS admins may not know all the assets they have.
The researchers also say domain owners can protect themselves against DNS hijacking by making sure their DNS records are well managed – which can be difficult, it admits, in multi-national organizations where management of projects, domain registration and DNS records may be in separate organizations.
“We recommend the establishment of processes that trigger a notification to remove a DNS CNAME record whenever a resource is shut down, as well as tracking active resources,” the report says.
As for making sure employees aren’t suckered, Infoblox says staff should be urged to deny push notification requests from websites they don’t know. Unwanted notifications can be turned off in browser settings, the report adds.
No Responses