Global DNS Hijacking Blamed on Iranian Hackers
January 10, 2019 / Phil Muncaster
Security researchers have spotted a new series of DNS hijacking attacks successfully targeting organizations globally on a large scale and traced back to Iran. The attacks have managed to compromise “dozens” of domains run by government, telecommunications and internet infrastructure in the Middle East and North Africa, Europe and North America. In so doing, they change DNS records to direct users to malicious but legitimate-looking, Let’s Encrypt certified domains where email credentials are harvested. FireEye observed three attack methods, with activity first spotted in January 2017. The first uses previously compromised credentials to log-in to a DNS provider’s administration panel with the aim of changing DNS A records. The second exploits a previously compromised registrar or ccTLD to change DNS nameserver (NS) records. A third technique is used in combination with the previous two, to return legitimate IP addresses for users outside the targeted domains.