The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:
Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
NCCIC recommends the following best practices to help safeguard networks against this threat:
Cisco Talos blog: DNSpionage Campaign Targets Middle East
CERT-OPMD blog: [DNSPIONAGE] – Focus on internal actions
FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors
January 24, 2019: Initial version|February 6, 2019: Updated IOCs, added Crowdstrike blog|February 13, 2019: Updated IOCs
blog-cert.opmd.fr/dnspionage-focus-on-internal-actions
blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=DNS%20Infrastructure%20Hijacking%20Campaign+https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a
www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a&title=DNS%20Infrastructure%20Hijacking%20Campaign
www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=DNS%20Infrastructure%20Hijacking%20Campaign&body=www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a