The danger actors find ways to kidnap the domain that poor DNS record-maping and thanks to the misunderstanding by administrators, a hole that CSO has to plug or risk financial or reputed losses to its outfits.
The latest example of risk came In a report today from Infoblox On a danger actor, it calls Hoscy Hawk, which says that in February, the US Center for Disease Control and Prevention (CDC) sub -domain was captured and used to host dozens of URLs that indicated to porn videos. This person or gang has been finding gaps in DNS records from at least December 2023, falling victim to large universities and international firms.
The report states, “Haj Hawk finds gaps in DNS records that are quite challenging to identify,” and we believe that they must have access to commercial passive DNS services to do so. ,
The kidnapped domain is used to host a large number of URLs that send users to sites hosting scams and malware through various traffic distribution systems (TDSS), stating in the report.
The integration of malicious push information to fool the final users in the attack chain serves as a force multiplier, it says. These information tries to convince employees to update their virus, turn on their firewalls, or to click on a link to contact Microsoft support. Links, of course, download malware or lead to sites seeking payment for support.
The report said, “Perhaps the most notable thing about the blurred hawk is that these hard-to-discwar, weak domains are not being used for detective or ‘hybrid’ cybercrime with relationships with respected outfits,” reports. “Instead, they feed in the underworld with Edtech seeds, whispering the victims in a wide range of scams and fake applications, and using a browser notifications to trigger the processes that will have a gendering effect. Hockey hawk length indicates that the scams of the scam will go to the scam to move to the multicolored.”
Abandoned site
In the case of CDC, Infoblox believes that the Center left an Azure-Hosted website or content bucket which was used, but did not tell the DNS management administrator. This allowed the actor with danger to find out what the “swinging” DNS record of the expert site is called.
The problem involves complex method DNS records to an IP address. What is called a record maps the name of a website for one or more IP addresses. What is called CNAME record is given the other name. It is then used, for example, an organization that starts using “firm.com”, should also have “firms.com”, or if the “firm.com” buys another company and wants users who write the name of the company acquired in their browser address bar, then go to the “Firm.com” automatically. But if the CNAME record of that subdoman is dropped by the website team without informing the DNS team, and a danger the actor finds it, they can register and catch it.
,
The report stated, “Half Hawk and other cloud resource kidnapping actors are likely to do significant manual work to validate the possibly weak domains, as each cloud provider handles the declined resources in various ways,” the report states.
In addition, the Hausi Hawk takes the URL on it that takes it to hide the cloud resources, and often redirect the victims into another domain that controls it to host malicious content.
DNS kidnapping comes in many forms
DNS kidnapping comes in many forms. In 2019, CSO inspired Paul Vicky, a DNS system contributor about the need to strengthen security. We later wrote about the problem of abandoned domain names. And since then things have not changed much. Most CISOs can become familiar with typosketing, where “firm.com” will have to compete with “firm.co”. The danger actors also try to steal the DNS administrator credentials to handle accounts.
Domain kidnapping is relatively easy, the Canadian incident response provider Digitalidfed’s Robert Bess commented. He said, “These attacks are rarely seen by the owner of the domain until it is too late,” he said to the CSO in an email.
They succeed due to the shared responsibility of the domain name management, “he wrote.” Domain name holder (business), domain registrar, DNS providers and web hosting companies must ensure that the domain names are accurate. In the case of Hausi Hawks, it appears that an automatic attack exploited the CNAME records weakened or improperly configured to allow domain kidnapping. Surprisingly, despite the width of the attack, no one saw that it was happening, showing that the traditional identity system is not keeping pace with emerging attacks. ,
Domain users need to properly authorize and manage their domains to prevent this type of attack, Beg said. Domain name is a large attack surface that is distributed in many institutions, which has a different degree of responsibility.
“This is an attack that is known since at least 2016, they are responsible for holding a strong control over the domain, highlighting the needs of domain owners. Currently, the domain is usually managed as either either live or expiry, and this level of basic control is poorly applied. The need for strong authenticity, support to new equipment, support for long -term management, and domain records, and domain records for domain records. it occurs.”
The problem is ‘growing up’
The problem of hanging the CNAME records is getting bigger and grown, “Renny Burton, co-writer of the Infoblox report, the vice-president of the company’s danger information, told CSO.
To fix “it is really difficult for security vendors”, he said, “Because everything is valid with (DNS) series” once the CNAME record is captured by a danger actor.
The security markets and the cloud providers would eventually provide solutions to this problem, predicting that Azure has already put some protection against such kidnapping.
But, eventually, CISOS should have processes for DNS hygiene, Burton said. “Finally, it comes down to its records and ventures straightening services.”
In its report, Infoblox has warned admins that DNS is common after merging and acquisitions, when IT and DNS admins may not know all the assets they have.
Researchers also say that the owners of the domain can protect themselves against the abduction by ensuring that their DNS records are well-managed-which can be difficult, assumes, in multi-national organizations where projects can be managed, domain registration and DNS records in different organizations.
The report states, “We recommend the installation of procedures that trigger a notification to remove a DNS CNAME record to close a resource along with closing a resource,” the report states.
To ensure that employees have not been sucked, Infoblox says that employees should be urged to deny the push notification requests from the websites that they do not know. Unwanted information can be closed in browser settings, the report states.
