Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:52 AM

The Easiest Way To Deface A Website Is To Target The Domain Registrar

Hacking the DNS and domain maintenance systems makes for a much easier, safer, and efficient way of defacing the busiest and highest-profile websites on the Internet

Earlier this week there was yet another attack attributed to the Syrian Electronic Army (SEA). For a period of around six hours, some visitors to The New York Times, two Twitter services, and The Huffington Post's U.K. sites were redirected to pro-Assad political Web content. Many people naturally assumed that these high-profile websites had been hacked and then defaced, but in reality the attack was much simpler -- and the SEA attackers had no need to even touch a single server belonging to these organizations.

Despite being arguably the most critical component of the modern Internet, very few people really understand how DNS and, more specifically, domain maintenance works. In recent years, I think businesses with a significant Internet presence have grown to appreciate some of the threats that can affect their DNS infrastructure, but have yet to invest in suitable systems and response plans that'll help keep their sites and content accessible under anything more than the lightest touch of a competent hacker.

Unlike much of the infrastructure used by online businesses to serve content on the Internet or process transactions, DNS and domain registration is almost exclusively managed by third parties. In the majority of cases, these DNS and domain registration providers know their business pretty well, but there's often a big disconnect between the security of their operations and that of their largest clients.

For example, for websites that receive 50,000-plus unique visitors per day or process more than 1,000 financial transactions per hour, you can be pretty sure that they're running current generation perimeter defense systems (NGFW, IPS, DLP, etc.), undergo regular and extensive security reviews and penetration testing, and are generally monitored in real-time by a back-office contingent of seasoned system administrators and product managers -- by the business themselves.

Meanwhile, DNS is hosted by one third party, domain registration is likely managed by another one, and none of the security defenses or alerting systems feeds back to the client. Oh, and the domain registration provider may be the same folks who the company originally purchased the domain name 15 years ago.

From a hacker's perspective, going after the target's DNS infrastructure or domain management portal represents a soft target.

Hacking a modern Web server cluster, subverting it to your political cause, and having that message presented to thousands of site visitors for more than five minutes is a difficult task. Hacking the hosting infrastructure of a major Internet business or service provider is often considerably harder. Meanwhile, targeting and subverting a small DNS hosting provider or obtaining the administration credentials for the domain registration portal is a much easier proposition -- the attacker probably doesn't even need to touch any systems owned and operated by their ultimate target. Once key DNS entries have been altered, the attackers can appear to have compromised the target's Web services for hours (if not days), as the updated entries propagate around the Internet.

While the end effect is the same, the hacks against the DNS server or the domain registration process are technically quite different. Hacking a DNS server, on one hand, is much like hacking any other infrastructure device, but there are also a lot of additional attack vectors that specifically target weaknesses in the way the DNS application and database operates -- looking to affect caching glitches, exploit DNS service vulnerabilities, usurp administrative access controls, or by simply guessing a management account.

Hacking the domain registration system tends to be a different beast. In most cases, hacks against the system focus on obtaining the access credentials of the domain owner or administrator. For example, in the SEA attack earlier this week, the attackers are said to have employed a spearphishing attack against staff at a Melbourne IT reseller to capture administrator-level account details, and used them to edit the name server fields. By changing the name server fields for the targeted domains, the SEA was able to redirect all Internet lookups for those particular top-level domains (TLDs) to DNS servers it controlled, and those DNS servers, in turn, answered inbound lookup queries for hosts (and services) associated with those TLDs with the IP addresses of servers they controlled -- serving up pro-Assad political content.

I've constantly found the domain registration and administrative process to be weak and haphazard. In the first phases of a penetration test, during the passive information gathering phase, it's easy to identify administrative weaknesses in the domain registration details from even a quick WHOIS lookup. When you start to enumerate which accounts can maintain a domain entry (i.e., via the "mnt-by:" tag), and those that still rely on an authentication password protected by a lowly MD5 hash (i.e., "auth: MD5-PW"), you're bound to shake your head in disbelief.

My advice to organizations looking to protect themselves from similar DNS and domain registry level attacks is, in the first order, choose a DNS provider and domain registrar that can prove they've invested in the appropriate level of perimeter defense systems and response strategies -- ideally at a level comparable (or better) than your own. In this particular service tree of the Internet, you really do get what you pay for.

Second, when you're assessing the security of your key websites and Internet accessible infrastructure, make sure that your DNS and domain registrars are not only included in the passive information gathering stages, but are also within the scope of a penetration test or red-team exercise.

Finally, you should "harden" your domain administration processes -- ensuring that you're using strong authentication and change control procedures and, where possible, you've locked the domain via the "registry-lock" and "registrar-lock" options.

A warning, though: Even after performing these actions, DNS and domain maintenance processes will remain one of the weaker points of your Internet security stature. Vigilance is advised. Recognize that this is a continued weak spot, ensure that you monitor for changes continuously, and vet incident response plans appropriately.

Gunter Ollmann, CTO, IOActive Inc.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.