isc presentation template · eddy winstead, isc april 29th, 2020 . what we’re going to covering...
TRANSCRIPT
![Page 1: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/1.jpg)
Domain HijackingMatthew C. Stith, Spamhaus
Eddy Winstead, ISCApril 29th, 2020
https://www.isc.org
![Page 2: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/2.jpg)
What we’re going to covering
• What why and how of domain hijacking
• Examples of various hijacking methods
• High profile stories about hijacked domains
• What can be done to protect domains and networks
• Q&A
2
![Page 3: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/3.jpg)
What is Domain Hijacking?• Malicious actors gaining access to the DNS records of
a legitimate domains (which they do not own):
• In some cases only the root domain’s DNS is changed. This is reflected in the WHOIS.
• In other cases a new host (subdomain) is created with new DNS settings. This practice is called domain shadowing. This is not visible at the WHOIS level.
3
![Page 4: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/4.jpg)
Why is it exploited?These following two factors lead to a positive reputation:
• The age of the domain
• The legitimacy of the domain
Meaning many of these domains could be able to send email or serve content without much scrutiny from content or reputation filters.
4
![Page 5: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/5.jpg)
How is it happening?
5
Phishing Social
engineeringCompromised
DNSExploiting
weaknesses in applications
Malware
![Page 6: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/6.jpg)
Passive DNS Data
Investigating domain hijacking • Passive DNS data is collected with special
probes activated on a DNS Resolver.
• The probes record anonymized cache miss.
• Data is collected through DNS recursive servers.
• Simple and extensive search functionalities make this data easy to search.
6
Client queries local DNS resolver
Query external root server
Query top level domain server
Domain not included in cache
Domain not found
Domain not found
Client gets a match
Data from recursive segment is recorded
Query name server
![Page 7: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/7.jpg)
Examples – Domain
7
![Page 8: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/8.jpg)
Domain
8
![Page 9: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/9.jpg)
Domain and Subdomain
9
![Page 10: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/10.jpg)
Domain and Subdomain
10
![Page 11: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/11.jpg)
Domain and Subdomain
11
![Page 12: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/12.jpg)
Domain and Subdomain
12
![Page 13: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/13.jpg)
Subdomain Only: Domain ShadowingEverything looks normal at the root domain level
13
![Page 14: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/14.jpg)
Subdomain Only: Domain ShadowingBut when we look a right-side search of the domain, we find something quite different happening
14
![Page 15: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/15.jpg)
Domain Shadowing in the wildReceived: from ragalonragdolls.com (unknown [117.212.90.45]) by Redacted (Postfix) with ESMTP id C1E03C0506 for <XXXXXXXXXXXX>; Fri, 27 Dec 2019 Envelope-To: .frDelivery-Date: Fri, 27 Dec 2019 From: Mondial Relay <[email protected]> Content-Type: multipart/mixed; boundary="------------I305M09060309060P_365415389083760" X-Mril-Campaign: [ wymdjppebfuzjvaryknajxczybxsdpnqqftaut//f6cfc= ] To: MIME-Version: 1.0 Subject: LivraisonufynDate: Fri, 27 Dec 2019
<small><a href=3D"http://rx.apebbleintheroad.org//racontaient~Cagne/~Junkyf= XXXXXXXXXXXXXX/">tena</a> Mondial RELAY</small><br> <table><tr><td><a href=3D"http://rx.apebbleintheroad.org//racontaient~Cagne= /~JunkyXXXXXXXXXXXXX/"><img src=3D"cid:defrag.jpg" alt=3D""></a></td><t=d></td></tr></table><br><br><div style=3D"color: #987"><br><br> iblocklist Terrifiant Retrouve Pacino invalidant gauchi<br> =C2=A9 Mondial Relay, 1601 Willow Road, Menlo Park, CA 94025.<br>=C2=A9 This <a href=3D"http://rx.apebbleintheroad.org//racontaient~Cagne/~J= unkyfaitchier.Nimeyer/">message</a> was sent to and intended for Not your account? 93937 Remove your <a href=3D"http://rx.apebbleintheroad.org//racont= aient~Cagne/~JunkyXXXXXXXXXXXXXXXX/">email</a> from this account.<br> Reported Parcequ comedique Aquatique reservees Larcher<br> </div><br>
15
![Page 16: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/16.jpg)
Recent Incidents with Domain Hijacking• Openprovider
• Nation State DNS Hijacking
• GoDaddy DNS Management issues and after
16
![Page 17: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/17.jpg)
OpenProvider (E-hawk.net hijack)• E Hawk: A fraud prevention company
• In December 2019 The Attacker used social engineering of the customer support at OpenProviderto gain access to the domain.
• After waiting almost 3 weeks that changed the Attacker changed the DNS settings. E Hawk was made aware of this change immediately.
• Less than 48 hours later E Hawk was able to regain ownership of their domain, which would have not been possible without industry relationships.
17
![Page 18: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/18.jpg)
Nation State DNS Hijacking• From 2017 to 2019 multiple Middle Eastern, African, US companies
and governments had their domain’s DNS setting hijacked.
• Cisco, FireEye, Crowdstrike, and the US Government warned about the group, named DNSpionage.
• Compromise of a domain registrar to gain access to DNS settings.
• The sites that were hijacked were used for redirection purposes.
• The group used fake job website, malware, macros in files to also attempt to compromise users.
• Hijackers registered SSL certificates for the domains, allowing them to gain access to encrypted passwords, and email messages and VPN credentials
18
![Page 19: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/19.jpg)
GoDaddy – Timeline• 2016, a vulnerability identified in Managed DNS at Cloud providers.
• Late 2018, Bomb Threat Emails sent by big name brand domains
• Jan 2019, reports come out regarding the incidents along with other campaigns being sent.
• An entity, dubbed Spammybear, was responsible and hijacked upwards of 4,000 domains.
• Feb 2019 remnants of that hijack remained and were snuffed out.
19
![Page 20: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/20.jpg)
GoDaddySpamhaus has found that the hijacking has not stopped:
• Jun 2019, domain shadowing observed at over 10,000 domains:
• Pointing to Russian infrastructure
• Upon notification most of the shadowing was stopped
• Dec 2019, attackers switched from adding hostnames to directly hijacking
• The rate of hijacking is upwards of 100 domains daily.
20
![Page 21: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/21.jpg)
GoDaddy – Domain Hijacking
21
5830
3433
1121
4345
0 1000 2000 3000 4000 5000 6000 7000
Jan
Feb
March
April
![Page 22: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/22.jpg)
Spamhaus’ tracking of GoDaddy hijacks• Spamtraps intercepting phishing mail from hijacked domains.
• Domain shadowing happening at GoDaddy in mid-2019. Shut down quickly after.
• Attackers switched to straight domain hijacking afterwards.
• Using Passive DNS and other tracking methods we were able to identify the pattern being used and score negatively the reputation of the domains that had been hijacked.
22
![Page 23: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/23.jpg)
Protecting yourself (domain owners)• Two-Factor Authentication
• Passphrase management and/or strong passwords
• DNSSEC
• Registry Lock
• Limit access to your domain(s) in a large organization
• Diversify account security
• Track any change to your domain(s) and DNS
• Research registrars
23
![Page 24: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/24.jpg)
Protecting networks (customers and employees)
• Netflow Analysis (where applicable)
• Passive DNS
• BGP
• DNS Firewall
• Awareness around social engineering, phishing, etc.
24
![Page 25: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/25.jpg)
Protecting Registrar Customers • Robust reporting on account access
• High profile and/or high value domain identification
• Two-factor authentication
• Regular review of customer documents
• Social Engineering, Phishing, and other malicious scenario awareness
• Work with the Anti-Abuse Industry
25
![Page 26: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/26.jpg)
Q & A
26
![Page 27: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/27.jpg)
What Can I do …?Passive DNS:
- Check domains, IPs, and Brands using our Free Passive DNS
- What is Passive DNS? A beginner’s Guide
- Free Access to Passive DNS
- DNS Firewall Threat Feeds:
- Protect your users
- Add Spamhaus DNS RPZ feeds to BIND (and other resolvers) = DNS Firewall
- Beginner’s Guide to DNS Firewall/RPZ
- DNS Firewall Factsheet
- Rackspace DNS Firewall Case Study
- Also a docker image available
27
![Page 28: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/28.jpg)
Contact [email protected]
Arnie Bjorklund
SecurityZONES / Spamhaus Technology
- Questions, Free Trials
- Technical Assistance
- Expertise
28
![Page 29: ISC Presentation Template · Eddy Winstead, ISC April 29th, 2020 . What we’re going to covering • What why and how of domain hijacking • Examples of various hijacking methods](https://reader034.vdocuments.us/reader034/viewer/2022050405/5f824492c2e7cf3c1a2135cc/html5/thumbnails/29.jpg)
Recommended ReadsAll of the incidents I have mentioned have multiple articles and blogs referenced in them. Here they are. Please read and share.
Godaddy
https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/
https://arstechnica.com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/
https://krebsonsecurity.com/2019/02/crooks-continue-to-exploit-godaddy-hole/
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/
https://www.spamhaus.org/news/article/797/the-current-state-of-domain-hijacking-and-a-specific-look-at-the-ongoing-issues-at-godaddy
Openprovider
https://krebsonsecurity.com/2020/01/does-your-domain-have-a-registry-lock/
Nation State DNS Hijacking
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive
https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/
29