Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

The wave of domain hijackings besetting the Internet is worse than we thought

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 18 Apr 2019 05:49:13 +0000 (UTC)
https://arstechnica.com/information-technology/2019/04/state-sponsored-domain-hijacking-op-targets-40-organizations-in-13-countries/

By Dan Goodin
Ars Technica
4/17/2019
The wave of domain hijacking attacks besetting the Internet over the past few months is worse than previously thought, according to a new report that says state-sponsored actors have continued to brazenly target key infrastructure despite growing awareness of the operation.
The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.
Reverse DNS records show that in late March nsd.cafax.com resolved to a malicious IP address controlled by the attackers. NSD is often used to abbreviate name server demon, an open-source app for managing DNS servers. It looks unlikely that the attackers succeeded in actually compromising Cafax, although it wasn't possible to rule out the possibility.
"I've also seen attributions to this name," Liman told Ars, referring to nsd.cafax.com. "The strange thing is that that name doesn't exist. There is, and, as far as I can remember, has never been, such a name in the legitimate cafax.se domain." He said the techniques involved in the March attack are consistent with the Netnod hijacking. Asked how the March attack affected Cafax customers, Liman wrote: "I don't know. I was not in a position to observe things as they happened, so I don't know what the black hats did." 

[...]


--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: