{"id":2495,"date":"2019-01-24T20:01:42","date_gmt":"2019-01-24T13:01:42","guid":{"rendered":"https:\/\/humanit.asia\/?p=2495"},"modified":"2019-07-22T13:39:28","modified_gmt":"2019-07-22T06:39:28","slug":"aa19-024a","status":"publish","type":"post","link":"https:\/\/old.humanit.asia\/th\/aa19-024a\/","title":{"rendered":"AA19-024A: DNS Infrastructure Hijacking Campaign"},"content":{"rendered":"<div>Original release date: January 24, 2019<\/p>\n<h3>Summary<\/h3>\n<p>The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization\u2019s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization\u2019s domain names, enabling man-in-the-middle attacks.<\/p>\n<p>See the following links for downloadable copies of open-source\u00a0indicators of compromise\u00a0(IOCs) from the sources listed in the References section below:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/AA19-024_IOCs.csv\">IOCs (.csv)<\/a><\/li>\n<li><a href=\"https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/AA19-024_IOCs.stix.xml\">IOCs (.stix)<\/a><\/li>\n<\/ul>\n<p>These files will be updated as information becomes available.<\/p>\n<h3>Technical Details<\/h3>\n<p>Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.<\/p>\n<ol>\n<li>The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.<\/li>\n<li>Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.<\/li>\n<li>Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization\u2019s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.<\/li>\n<\/ol>\n<h3>Mitigations<\/h3>\n<p>NCCIC recommends the following best practices to help safeguard networks against this threat:<\/p>\n<ul>\n<li>Update the passwords for all accounts that can change organizations\u2019 DNS records.<\/li>\n<li>Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.<\/li>\n<li>Audit public DNS records to verify they are resolving to the intended location.<\/li>\n<li>Search for encryption certificates related to domains and revoke any fraudulently requested certificates.<\/li>\n<\/ul>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/blog.talosintelligence.com\/2018\/11\/dnspionage-campaign-targets-middle-east.html\">Cisco Talos DNSpionage Campaign Targets Middle East <\/a><\/li>\n<li><a href=\"https:\/\/blog-cert.opmd.fr\/dnspionage-focus-on-internal-actions\/\">CERT-OPMD [DNSPIONAGE] \u2013 Focus on internal actions<\/a><\/li>\n<li><a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2019\/01\/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html\">FireEye Global DNS Hijacking Campaign: DNS Record Manipulation at Scale <\/a><\/li>\n<\/ul>\n<h3>Revisions<\/h3>\n<ul>\n<li>January 24, 2019: Initial version<\/li>\n<\/ul>\n<hr \/>\n<p>This product is provided subject to this <a href=\"http:\/\/www.us-cert.gov\/privacy\/notification\">Notification<\/a> and this <a href=\"http:\/\/www.us-cert.gov\/privacy\/\">Privacy &amp; Use<\/a> policy.<\/p>\n<\/div>\n<p class=\"wpematico_credit\"><small>Powered by <a href=\"http:\/\/www.wpematico.com\" target=\"_blank\" rel=\"noopener noreferrer\">WPeMatico<\/a><\/small><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Original release date: January 24, 2019 Summary The Nat [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2227,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[106],"tags":[],"class_list":["post-2495","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-alerts-th"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>AA19-024A: DNS Infrastructure Hijacking Campaign - humanit managed services<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/old.humanit.asia\/aa19-024a\/\" \/>\n<meta property=\"og:locale\" content=\"th_TH\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AA19-024A: DNS Infrastructure Hijacking Campaign - humanit managed services\" \/>\n<meta property=\"og:description\" content=\"Original release date: January 24, 2019 Summary The Nat [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/old.humanit.asia\/aa19-024a\/\" \/>\n<meta property=\"og:site_name\" content=\"humanit managed services\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-24T13:01:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-22T06:39:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/old.humanit.asia\/wp-content\/uploads\/2019\/01\/Hacking.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"500\" \/>\n\t<meta property=\"og:image:height\" content=\"324\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 \u0e19\u0e32\u0e17\u0e35\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/\"},\"author\":{\"name\":\"Admin\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\"},\"headline\":\"AA19-024A: DNS Infrastructure Hijacking Campaign\",\"datePublished\":\"2019-01-24T13:01:42+00:00\",\"dateModified\":\"2019-07-22T06:39:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/\"},\"wordCount\":393,\"image\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/old.humanit.asia\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/Hacking.jpg\",\"articleSection\":[\"Alerts\"],\"inLanguage\":\"th\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/\",\"url\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/\",\"name\":\"AA19-024A: DNS Infrastructure Hijacking Campaign - humanit managed services\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/old.humanit.asia\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/Hacking.jpg\",\"datePublished\":\"2019-01-24T13:01:42+00:00\",\"dateModified\":\"2019-07-22T06:39:28+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/#breadcrumb\"},\"inLanguage\":\"th\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"th\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/#primaryimage\",\"url\":\"https:\\\/\\\/old.humanit.asia\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/Hacking.jpg\",\"contentUrl\":\"https:\\\/\\\/old.humanit.asia\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/Hacking.jpg\",\"width\":500,\"height\":324,\"caption\":\"Hacking Computer Security Threat and Protection\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/aa19-024a\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/old.humanit.asia\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AA19-024A: DNS Infrastructure Hijacking Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#website\",\"url\":\"https:\\\/\\\/old.old.humanit.asia\\\/\",\"name\":\"humanit managed services\",\"description\":\"making technology easy\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/old.old.humanit.asia\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"th\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\",\"name\":\"Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"th\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"caption\":\"Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AA19-024A: DNS Infrastructure Hijacking Campaign - humanit managed services","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/old.humanit.asia\/aa19-024a\/","og_locale":"th_TH","og_type":"article","og_title":"AA19-024A: DNS Infrastructure Hijacking Campaign - humanit managed services","og_description":"Original release date: January 24, 2019 Summary The Nat [&hellip;]","og_url":"https:\/\/old.humanit.asia\/aa19-024a\/","og_site_name":"humanit managed services","article_published_time":"2019-01-24T13:01:42+00:00","article_modified_time":"2019-07-22T06:39:28+00:00","og_image":[{"width":500,"height":324,"url":"https:\/\/old.humanit.asia\/wp-content\/uploads\/2019\/01\/Hacking.jpg","type":"image\/jpeg"}],"author":"Admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Admin","Est. reading time":"2 \u0e19\u0e32\u0e17\u0e35"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/old.humanit.asia\/aa19-024a\/#article","isPartOf":{"@id":"https:\/\/old.humanit.asia\/aa19-024a\/"},"author":{"name":"Admin","@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c"},"headline":"AA19-024A: DNS Infrastructure Hijacking Campaign","datePublished":"2019-01-24T13:01:42+00:00","dateModified":"2019-07-22T06:39:28+00:00","mainEntityOfPage":{"@id":"https:\/\/old.humanit.asia\/aa19-024a\/"},"wordCount":393,"image":{"@id":"https:\/\/old.humanit.asia\/aa19-024a\/#primaryimage"},"thumbnailUrl":"https:\/\/old.humanit.asia\/wp-content\/uploads\/2019\/01\/Hacking.jpg","articleSection":["Alerts"],"inLanguage":"th"},{"@type":"WebPage","@id":"https:\/\/old.humanit.asia\/aa19-024a\/","url":"https:\/\/old.humanit.asia\/aa19-024a\/","name":"AA19-024A: DNS Infrastructure Hijacking Campaign - humanit managed services","isPartOf":{"@id":"https:\/\/old.old.humanit.asia\/#website"},"primaryImageOfPage":{"@id":"https:\/\/old.humanit.asia\/aa19-024a\/#primaryimage"},"image":{"@id":"https:\/\/old.humanit.asia\/aa19-024a\/#primaryimage"},"thumbnailUrl":"https:\/\/old.humanit.asia\/wp-content\/uploads\/2019\/01\/Hacking.jpg","datePublished":"2019-01-24T13:01:42+00:00","dateModified":"2019-07-22T06:39:28+00:00","author":{"@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c"},"breadcrumb":{"@id":"https:\/\/old.humanit.asia\/aa19-024a\/#breadcrumb"},"inLanguage":"th","potentialAction":[{"@type":"ReadAction","target":["https:\/\/old.humanit.asia\/aa19-024a\/"]}]},{"@type":"ImageObject","inLanguage":"th","@id":"https:\/\/old.humanit.asia\/aa19-024a\/#primaryimage","url":"https:\/\/old.humanit.asia\/wp-content\/uploads\/2019\/01\/Hacking.jpg","contentUrl":"https:\/\/old.humanit.asia\/wp-content\/uploads\/2019\/01\/Hacking.jpg","width":500,"height":324,"caption":"Hacking Computer Security Threat and Protection"},{"@type":"BreadcrumbList","@id":"https:\/\/old.humanit.asia\/aa19-024a\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/old.humanit.asia\/"},{"@type":"ListItem","position":2,"name":"AA19-024A: DNS Infrastructure Hijacking Campaign"}]},{"@type":"WebSite","@id":"https:\/\/old.old.humanit.asia\/#website","url":"https:\/\/old.old.humanit.asia\/","name":"humanit managed services","description":"making technology easy","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/old.old.humanit.asia\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"th"},{"@type":"Person","@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c","name":"Admin","image":{"@type":"ImageObject","inLanguage":"th","@id":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","caption":"Admin"}}]}},"_links":{"self":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/comments?post=2495"}],"version-history":[{"count":2,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2495\/revisions"}],"predecessor-version":[{"id":2845,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2495\/revisions\/2845"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/media\/2227"}],"wp:attachment":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/media?parent=2495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/categories?post=2495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/tags?post=2495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}