Getting to Know DNS Hijacking: How Adversaries Continue to Abuse DNS

Accessing a site today should be as straightforward as sending a letter to a trusted friend across the country. Imagine corrupted postal workers swapping out your heartfelt letter with something more hostile and rude. The reliable process of the postal system is often something we take for granted. Similarly, the same can be said for accessing a website. Threat actors today have made the simple act of requesting a legitimate site a major risk for organizations everywhere due to the emergence of DNS Hijacking.

DNS hijacking occurs when a user’s DNS query is incorrectly resolved and they are redirected to an attacker’s server. There are many techniques adversaries can use to carry out this attack, including:

• DNS Spoofing - An attacker compromises a DNS resolver and redirects users to a malicious site through the DNS response.
• DNS Cache Poisoning - Attackers exploit DNS vulnerabilities outside of an organization’s control and inject false information into the DNS cache, allowing them to redirect a user’s legitimate DNS query to a malicious site through the DNS response.
• DNS Injection - Attackers inject malicious payload in a DNS response to exploit any known vulnerabilities inside an organization.
• Compromised DNS Registrar - Attackers compromise DNS Registrar accounts, either by exploiting vulnerabilities or through unauthorized access, allowing them to redirect traffic to a malicious site.

In addition to these techniques, if your DNS is not configured correctly, attackers can take advantage of these misconfigurations to take control of a domain and gain access into a network. These include:

• Incorrect DNS Records - DNS records containing typos.
• Stale DNS Records - DNS Records pointing to expired resources.
• Non-resolvable Domains - Hosts incorrectly configured or not configured at all due to default settings that point to non-resolvable domains.

An example of how attackers can abuse DNS responses occurred recently when a number of Dutch IT and Telecom companies were targeted by a threat actor group known as Sea Turtle. This group compromised various DNS registrars and registries, and from as early as January 2017, they’ve redirected victims who attempted to reach a specific domain to their malicious server where they were then able to harvest credentials.

These techniques allow an attacker to covertly shepherd unknowing users to their malicious site by manipulating DNS responses, making DNS hijacking extremely disruptive and hard to detect. However, in addition to DNS Hijacking, attackers are exploiting an organization’s DNS misconfigurations, such as poor hygiene in regards to managing and setting up DNS records. Attackers will continuously scan for these misconfigurations and then take ownership of a once legitimate domain. Unfortunately, this approach has become so successful due to organizations relying on a slow and manual process to manage their misconfigured DNS records, giving attackers ample time to identify and take control of their domain. For example, in recent news, a software supply chain attack called MavenGate impacted a number of public and popular libraries used in Java and Android applications. Unfortunately, these libraries were left abandoned, allowing attackers to take advantage of DNS misconfigurations and exploiting vulnerabilities in domain name purchases. Attackers were able to purchase expired domains and manipulate repositories and inject malicious code into applications or the build process, compromising the security and functionality of applications.

The industry’s response to stopping DNS hijacking is simply ineffective. Traditional security vendors solely rely on a reactive approach to security and only analyze DNS responses offline using third-party tools. Alternatively, organizations today rely on a very slow and manual process to manage their misconfigured DNS records. This gives attackers ample time to take control of an organization’s expired domains and use it to host their malicious content.

With the industry’s lack of protection against DNS Hijacking attacks, attackers are increasingly using it as a means to breach an organization. In fact, studies show that 33% of organizations fell victim to a DNS Hijacking attempt in 2023. To make matters worse, research has discovered that 20% of DNS records are misconfigured and are therefore left vulnerable to hijacking. And these numbers are only expected to continue rising in the absence of a well-equipped solution that can inspect DNS responses inline and automate DNS configuration management.

In order for organizations to scale, they must ensure that they can deliver a safe and reliable web experience for all of their users, and this means that their DNS traffic must be protected. DNS hijacking poses a significant threat to both individual users and businesses alike, undermining the integrity and security of the internet's infrastructure. And as we increasingly rely on the use of the internet for business productivity, it is essential that all organizations feel confident in DNS security solutions. By being aware of DNS hijacking, organizations can minimize the risk of a DNS-layer breach and protect their users and data. To learn more about DNS hijacking and how Palo Alto Networks can stop it, be sure to visit Paloaltonetworks.com and ask to be contacted by one of our representatives.

Accessing a site today should be as straightforward as sending a letter to a trusted friend across the country. Imagine corrupted postal workers swapping out your heartfelt letter with something more hostile and rude. The reliable process of the postal system is often something we take for granted. Similarly, the same can be said for accessing a website. Threat actors today have made the simple act of requesting a legitimate site a major risk for organizations everywhere due to the emergence of DNS Hijacking.

DNS hijacking occurs when a user’s DNS query is incorrectly resolved and they are redirected to an attacker’s server. There are many techniques adversaries can use to carry out this attack, including:

• DNS Spoofing - An attacker compromises a DNS resolver and redirects users to a malicious site through the DNS response.
• DNS Cache Poisoning - Attackers exploit DNS vulnerabilities outside of an organization’s control and inject false information into the DNS cache, allowing them to redirect a user’s legitimate DNS query to a malicious site through the DNS response.
• DNS Injection - Attackers inject malicious payload in a DNS response to exploit any known vulnerabilities inside an organization.
• Compromised DNS Registrar - Attackers compromise DNS Registrar accounts, either by exploiting vulnerabilities or through unauthorized access, allowing them to redirect traffic to a malicious site.

In addition to these techniques, if your DNS is not configured correctly, attackers can take advantage of these misconfigurations to take control of a domain and gain access into a network. These include:

• Incorrect DNS Records - DNS records containing typos.
• Stale DNS Records - DNS Records pointing to expired resources.
• Non-resolvable Domains - Hosts incorrectly configured or not configured at all due to default settings that point to non-resolvable domains.

An example of how attackers can abuse DNS responses occurred recently when a number of Dutch IT and Telecom companies were targeted by a threat actor group known as Sea Turtle. This group compromised various DNS registrars and registries, and from as early as January 2017, they’ve redirected victims who attempted to reach a specific domain to their malicious server where they were then able to harvest credentials.

These techniques allow an attacker to covertly shepard unknowing users to their malicious site by manipulating DNS responses, making DNS hijacking extremely disruptive and hard to detect. However, in addition to DNS Hijacking, attackers are exploiting an organization’s DNS misconfigurations, such as poor hygiene in regards to managing and setting up DNS records. Attackers will continuously scan for these misconfigurations and then take ownership of a once legitimate domain. Unfortunately, this approach has become so successful due to organizations relying on a slow and manual process to manage their misconfigured DNS records, giving attackers ample time to identify and take control of their domain. For example, in recent news, a software supply chain attack called MavenGate impacted a number of public and popular libraries used in Java and Android applications. Unfortunately, these libraries were left abandoned, allowing attackers to take advantage of DNS misconfigurations and exploiting vulnerabilities in domain name purchases. Attackers were able to purchase expired domains and manipulate repositories and inject malicious code into applications or the build process, compromising the security and functionality of applications.

The industry’s response to stopping DNS hijacking is simply ineffective. Traditional security vendors solely rely on a reactive approach to security and only analyze DNS responses offline using third-party tools. Alternatively, organizations today rely on a very slow and manual process to manage their misconfigured DNS records. This gives attackers ample time to take control of an organization’s expired domains and use it to host their malicious content.

With the industry’s lack of protection against DNS Hijacking attacks, attackers are increasingly using it as a means to breach an organization. In fact, studies show that 33% of organizations fell victim to a DNS Hijacking attempt in 2023. To make matters worse, research has discovered that 20% of DNS records are misconfigured and are therefore left vulnerable to hijacking. And these numbers are only expected to continue rising in the absence of a well-equipped solution that can inspect DNS responses inline and automate DNS configuration management.

In order for organizations to scale, they must ensure that they can deliver a safe and reliable web experience for all of their users, and this means that their DNS traffic must be protected. DNS hijacking poses a significant threat to both individual users and businesses alike, undermining the integrity and security of the internet's infrastructure. And as we increasingly rely on the use of the internet for business productivity, it is essential that all organizations feel confident in DNS security solutions. By being aware of DNS hijacking, organizations can minimize the risk of a DNS-layer breach and protect their users and data. To learn more about DNS hijacking and how Palo Alto Networks can stop it, be sure to visit Paloaltonetworks.com and ask to be contacted by one of our representatives.