So, what does DNS Hijacking involve? First, let’s start by stating what it doesn’t involve.

DNS Hijacking doesn’t involve threat actors taking over a website. As you type a website into your browser and the servers begin to parse through the website your trying to access, the threat actors, having taken control of the server that hosts the website the user is trying to access simply reroutes your request to a website that the threat actor has been prepared to receive the data. This means that the user will never actually able to receive or accessed the targeted website. The threat actor can render the website that the user is attempting to access as a denial of service or even install malware on the user’s computer.
Threat actors that hijack a DNS server aren’t generally trying to access the website that the user is trying to access as well but rather, the threat actor in some instances can guide you to their server or website and proceed to shake you down for your password and other pertinent information that would enable the threat actor to return to the real website the user was trying to access.
In 2013, the New York Times was involved in a DNS hijacking by a well-known nation state threat actor group. The nation state attackers redirected customers of the NYT website to their domain. The NYT along with other electronic newspapers had experienced the same type of attack.
The threat actors looked for vulnerabilities on how host servers could redirect users to the malicious website. The threat actors exploited those vulnerabilities. The exploits lead to users’ data as well as the website’s data to be compromised.
The latest DNS hijacking occurred as recently as January 23rd, 2019, when the Department of Homeland Security (DHS) issued an “emergency directive” and ordered all Federal Agencies to audit their DNS security due to a spate of DNS hijacking’s, some involving nation state actors and a series of U.S. Federal Agencies that had recently experienced DNS hijackings. DHS’s recommendations for ensuring that its DNS servers have not been compromised are the following;
• Conduct regular audits of the organizations DNS records and secondary DNS servers for unauthorized edits
• Update passwords for all accounts on systems that can be used to alter DNS records
• Enable multi-factor authentication to prevent any unauthorized change to your domains
• Regularly monitor certificate transparency logs

Redport IA, LLC and its team of researchers can assist an organization by implementing the above safeguards in order to protect their DNS servers and other enterprise infrastructure.


By Dr. Randall Sylvertooth

Sources:
https://www.theverge.com/2013/8/27/4665230/new-york-times-website-taken-down-sea-suspected
https://thehackernews.com/2019/01/dns-hijacking-cyber-attacks.html

For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA