DNS under fire lately as nation-states and hacker groups steal credentials from unsuspecting victims.

DNS has come under fire lately as nation-states and hacker groups have targeted DNS as a method to steal credentials from unsuspecting victims.

According to Techcrunch the hackers first compromised the intended target via spearphishing.  They then used known exploits to target servers and routers and move laterally within the network.  In that process, the hackers obtained passwords which let them update the DNS records pointing the domain name away from the IP address on the target’s server to a server controlled by the hacker.  This allowed the hacker to gather username and passwords utilizing man-in-the-middle attacks.  The hacker also used fake certificates to make the malicious hacker server appear to be the real web server.

 

There are very few ways to prevent this attack.  A few areas to focus on include:

1. Implementing two factor authorization for all DNS record changes.  While in theory, a very smart move, in practice difficult as not all registrars support this.
2. Registry Lock – this is like a credit lock on your financial records.  This prevents unauthorized, unwanted or accidental changes to the domain name at the sponsoring registrar.  Unfortunately, not all top level domains support Registry Lock.
3. Deploying email security to intercept and prevent the successful phishing campaign
4. Host based malware detection tools

 

Starlight is committed to utilizing our Unified Security Analytics Platform to detect, alert, and respond to these types of behaviors.  Our pervasive data collection, coupled with advanced data handling and machine learning, gives us multiple areas where we can detect these types of attacks across the Lockheed Martin cyber kill-chain.  If the attack is missed in one stage of the kill chain, we will catch it in another stage.

1. Successful spearphishing campaigns ultimately leave new binaries to be executed.  Stellar Cyber has built in malware analysis that would reassemble the binary in transit, evaluate it against known signatures, and ultimately put it in a sandbox for testing.  The results of that testing would drive action should the test determine the binary is malicious in nature.
2. If the binary passes the malware testing, our server sensors detect the installation and execution of anomalous binaries and alert on those activities.
3. If the binary is not detected, the resulting command and control activities will be detected, alerted, and potentially blocked.
4. Binaries that issue commands to the OS are also detected as anomalous and would trigger an alert.
5. Domain validated certificates – As these certificates can be generated without human intervention, they can be used to give the end user a false sense of security.  One example of a domain validated certificate is “Lets Encrypt.”  Our Starlight platform has the ability to detect domain validated certificates and alert on them.

Defense in-depth is still very much alive (despite some discussions to the contrary).  Catching new attack methods depends on visibility and detections at all stages of the cyber security kill-chain.  Stellar Cyber is uniquely positioned to help you quickly detect and protect against these types of attacks.

 

David W. Barton
Chief Information Security Officer
615-939-2861
www.stellarcyber.ai