DNS Hijacking: Detection, Remediation, and Prevention

DNS hijacking is a type of cyberattack that can have serious consequences for both individuals and organizations. In a DNS hijacking attack, an attacker gains access to a user’s DNS records and/or settings and redirects their traffic to a malicious website or server. This can result in the theft of sensitive information, the installation of malware, and even financial losses. 

In this article, we explore the various forms of DNS hijacking, methods for detection and remediation, and best practices for preventing attacks. We also walk through a detailed example of a real-life DNS hijacking attack.

Summary of key DNS hijacking concepts

The table below summarizes the key concepts covered in this article. To help illustrate the various aspects of a DNS hijacking attack, we’ll use a specific example of an attack by the Sea Turtle hacking group in 2019.

What is DNS hijacking?	In a DNS hijacking attack, malicious actors exploit vulnerabilities in network infrastructure and devices to manipulate DNS settings, redirecting users to deceptive websites.
Detection	In the Sea Turtle campaign, detection involved proactive monitoring, anomaly detection, collaboration among organizations, and the use of security tools.
Remediation	Organizations responded to the Sea Turtle campaign by implementing measures such as patching and vulnerability management to address known vulnerabilities.
Prevention	Best practices for preventing hijacking attacks include implementing least privilege, proper implementation of security measures, keeping software/hardware up to date, and educating end users.

What is DNS hijacking?

In a DNS hijacking attack, the attacker employs various techniques to gain unauthorized access to the user’s DNS settings, taking advantage of potential security weaknesses within their network infrastructure—specifically, router configuration settings or individual devices. Through these vulnerabilities, the attacker manages to manipulate the DNS settings, effectively rerouting the user’s Internet traffic toward a resource the attacker controls, which is typically a deceptive website or server under their control. A successful DNS hijacking may also be accomplished by the attacker imitating the DNS server IP address from their own server, imitating the resolver; more information on this style of hijacking can be found here.

When a user initiates a web browsing session and attempts to access a legitimate website, such as “www.example.com,” the attacker’s malevolent server cunningly intercepts the DNS resolution process. This interception allows the attacker to redirect the user’s browser to a counterfeit website that is meticulously crafted to resemble the genuine site in every way, including visual design, branding, and functionality.

Within this maliciously constructed fake website, the user may unwittingly interact with seemingly legitimate forms, enter login credentials, or divulge sensitive personal information. However, unbeknownst to the user, this sensitive data is transmitted to the attacker’s server instead of the intended destination. The attacker can then exploit this captured information for various fraudulent activities, such as identity theft, unauthorized access to user accounts, or financial fraud.

Architecting a DNS hijack

The term “DNS hijacking” can be loosely applied to many different types of attacks on the DNS protocol and systems. It is helpful to zero in on the specifics of creating a specific type of DNS hijack, so this section will focus on architecting a DNS hijack attack to target routers.

In this scenario, we will focus on a small home network as the attack surface. Shown below is a diagram of an existing network that is typical of one that might be found in the average home.

The Internet service provider (ISP) supplies the primary Internet connection for the home and acts as a DNS resolver. A PC and a printer are connected to the wireless network to represent standard devices in a home network. The router forwards DNS requests from any client on the network out to the ISP and manages the replies coming back. 

The home’s router will typically be the optimal place to attack, mainly due to a lack of hardening, inconsistent firmware versions, and default administrator passwords. For purposes of illustration, the (fictitious) brand ExtremeMaxPlus will be used to illustrate how an actual takeover of the device could happen.

Our attack begins with attackers scanning for an open public IP address that will direct us to the configuration page of a vulnerable router. Attackers will use sophisticated tools that can scan many subnets; some may also target manufacturers that are known for leaving outside management settings enabled by default. Below, the admin interface for the vulnerable ExtremeMaxPlus router can be seen.

After a quick Google search, it is easy to see that the default username and password are simply “admin” and “admin.” After gaining access to the router, the attacker is free to manipulate the DNS settings of the router. The settings may look like this example:

With the DNS servers changed at the router, all DNS requests from all the network clients can now be sent to any server the attacker wants. DNS records for common websites will be returned that redirect users to malicious websites.

This is a very basic depiction of how simple DNS hijacking can be. In the rest of the article, we’ll look at the details of detection, remediation, and prevention of a real-world DNS hijacking event. However, on a practical note, it is important to understand that a simple change of the default admin password and disabling any remote management features will deter most attacks on a home network.

The Sea Turtle DNS hijack

In 2019, Cisco’s Talos security division disclosed findings about a significant espionage campaign by a hacker group named Sea Turtle. This operation involved DNS hijacking and impacted around 40 organizations. Alarmingly, the attackers even compromised country-code top-level domains (such as .co.uk and .ru), jeopardizing the traffic of entire domains across multiple countries.

The victims of this hacker group included telecommunications companies, Internet service providers, and domain registrars responsible for managing the DNS records of the victims. However, the primary targets, according to Talos Intelligence, were predominantly governmental organizations situated in the Middle East and North Africa. These targets encompassed ministries of foreign affairs, intelligence agencies, military entities, and energy-related groups. By manipulating DNS, the Internet’s directory system, the hackers’ attacks granted them access to intercept all forms of Internet data, including email and web traffic destined for the victim organizations.

Anatomy of the Sea Turtle Attack

In a common scenario of an incident,  the NS records associated with the intended organization were altered. This alteration would lead users to a malicious DNS server under the control of the bad actor. This server would then furnish controlled responses to all DNS queries from users. The duration for which the targeted DNS record is taken over can vary, spanning from a brief period of a few minutes to several days. The result of this activity is that the attacker gains the ability to redirect any user searching for that specific domain to various locations worldwide.

Once the perpetrator-controlled name server is queried for the specific domain in question, it responds with a falsified “A” record. This deceptive record contains the IP address of a node that the perpetrator controls, instead of the legitimate service’s IP address. In some cases, the threat actors adjusted the time to live (TTL) value to just one second. This adjustment appears to have been made to decrease the likelihood of any records persisting in the DNS cache of the victim’s machine.  Below is an image of the name servers compromised in the attacks:

Detection

The detection of the Sea Turtle campaign involved a combination of factors, including proactive monitoring, anomaly detection, collaboration among organizations, and the use of various security tools. While the specific details of the detection process may vary across organizations, here are some typical best practices and tools.

Network traffic monitoring

Security teams often monitor network traffic using tools like intrusion detection systems (IDSes) or network security monitoring (NSM) solutions. These tools analyze network packets, monitor data flows, and identify suspicious patterns or anomalies in network behavior. Unusual DNS requests, traffic redirection, or unauthorized communication patterns may raise alerts and trigger further investigation.

Endpoint security solutions

Endpoint security tools, such as antivirus software, endpoint detection and response (EDR) solutions, or next-generation endpoint protection platforms, play a crucial role in detecting malicious activities on individual devices. In the case of the Sea Turtle attack, these tools employed a range of techniques, including behavioral analysis, file reputation checks, and real-time threat intelligence, to identify and block suspicious or malicious processes or files.

Log analysis

Security teams analyze logs from various sources, including system logs, security event logs, DNS logs, and firewall logs, to identify signs of unauthorized access, unusual activity, or indicators of compromise (IOCs). Log analysis tools and security information and event management (SIEM) systems may have been used to aggregate and correlate logs from multiple sources, allowing for more comprehensive analysis and detection of suspicious events or patterns.

Threat intelligence

External threat intelligence sources, such as commercial threat intelligence feeds, open-source intelligence (OSINT), or information-sharing communities, can provide valuable insights into emerging threats and attack campaigns. These sources may have provided indicators of compromise, known attack patterns, or behavioral characteristics associated with the Sea Turtle campaign, assisting organizations in identifying and detecting malicious activities.

Collaborative information sharing

Collaboration among organizations, industry groups, and cybersecurity researchers is vital to detecting and understanding sophisticated attack campaigns. Information-sharing platforms, forums, and threat-intelligence-sharing communities allowed organizations to exchange information, IOCs, and analysis related to the Sea Turtle campaign. This collective effort helped identify patterns, establish connections, and enhance detection capabilities across the cybersecurity community.

Remediation

Measures taken by each organization will vary just as much as detection methods. Here are some best practice approaches that are typical and would have been used in the Sea Turtle scenario.

Patching and vulnerability management

Organizations moved quickly to identify and address vulnerabilities exploited by the Sea Turtle campaign. This involved applying security patches and updates to affected systems, applications, and infrastructure components. Vulnerability management tools and processes were used to prioritize and remediate known vulnerabilities. The table below lists some of the known vulnerabilities listed at that time and acted upon in the Common Vulnerabilities and Exposures (CVE) system.

CVE	Description	Actions taken
CVE-2019-19781	Citrix ADC and Gateway Remote Code Execution	Organizations updated and patched their Citrix ADC and gateway systems to mitigate the remote code execution vulnerability exploited by the Sea Turtle campaign.
CVE-2017-0144	EternalBlue – Microsoft Windows SMB Remote Code Execution	Windows systems were patched to address the vulnerability leveraged by the attackers for lateral movement and network propagation.
CVE-2017-5715	Spectre Variant 2 – Branch Target Injection	Organizations applied microcode and firmware updates to mitigate this CPU vulnerability, reducing the risk of unauthorized access and information disclosure.
CVE-2018-8174	Windows VBScript Engine Remote Code Execution	Vulnerable systems were patched to address this vulnerability in the VBScript engine, which was exploited by the Sea Turtle campaign to execute arbitrary code.
CVE-2018-4878	Adobe Flash Player Remote Code Execution	Organizations updated their Adobe Flash Player installations to mitigate the remote code execution vulnerability that was exploited by the attackers.

Malware detection and removal

Advanced malware detection tools and endpoint security solutions were employed to identify and remove malicious code associated with the Sea Turtle campaign. This included using antivirus software, intrusion detection systems, and EDR solutions to scan and clean infected systems. 

For illustration purposes, here is a list of some of the documented malware used in the Sea Turtle attacks:

• DNSpionage: A sophisticated malware strain associated with the Sea Turtle campaign. It is a DNS proxy trojan that intercepts DNS traffic, allowing attackers to redirect and manipulate DNS resolution messages. DNSpionage was used to hijack DNS records and reroute traffic to attacker-controlled servers.
• Karkoff: Backdoor malware designed to provide remote access and control over compromised systems. Karkoff allows attackers to execute arbitrary commands, steal sensitive information, and maintain persistence within the targeted networks.
• NetSpectre: A remote side-channel attack technique that targets speculative execution vulnerabilities in CPUs, allowing attackers to leak sensitive information from remote systems across a network.
• ShadowPad: A sophisticated tool capable of executing various malicious actions, such as stealing data, controlling compromised systems, and providing a foothold for further attacks.
• PowerDuke: A backdoor that provides remote access to compromised systems and allows attackers to monitor, steal data, and maintain persistence.
• Inception Framework: A suite of tools used by the Sea Turtle group to perform DNS hijacking. It includes custom tools and scripts to manipulate DNS records and to intercept network traffic and redirect it to malicious servers controlled by the attackers.

System restoration and configuration management

Compromised systems were restored to a secure state using backup and recovery mechanisms. This included restoring systems from known good configurations and validating the integrity of restored data. Configuration management tools and processes were employed to ensure secure and consistent system configurations.

Prevention

To prevent DNS hijacking attacks similar to the Sea Turtle campaign, organizations can implement a combination of preventive measures and security solutions. Here are some specific prevention solutions and best practices.

It’s worth discussing prevention methods for hijacking attacks—or any other attacks, for that matter—in the context of implementing a zero-trust architecture (ZTA). ZTA provides a road map for developing an environment that requires all resources to prove that they can be trusted, which is accomplished through implementing policies and identity management systems that enforce authentication, among other requirements. NIST is the governing body responsible for defining ZTA; a full writeup of the current standard can be found here. 

With ZTA in mind, here are some specific suggestions for preventing attacks.

DNS Security Extensions (DNSSEC)

Deploy DNSSEC to enhance the integrity and authenticity of DNS responses. DNSSEC ensures that DNS data is cryptographically signed, preventing unauthorized modifications and DNS cache poisoning attacks.

In the case of Sea Turtle, if DNSSEC were implemented, any attempt to modify the NS records or DNS responses would be detected by the clients querying the DNS server. This is because the signatures on the DNS records wouldn’t match if they were altered.

Multi-factor authentication (MFA)

Implement MFA for critical accounts, including domain registrars, DNS providers, and administrators. MFA adds an extra layer of protection, making it harder for attackers to gain unauthorized access to sensitive accounts and systems.

Regular patching and updates

Keep all systems, applications, and infrastructure components up to date with the latest security patches and updates. Regular patch management helps close known vulnerabilities that attackers can exploit, reducing the risk of compromise.

Network segmentation

Implement network segmentation to isolate critical systems and sensitive data. By dividing the network into separate segments, organizations can limit lateral movement in case of a breach and contain the impact of an attack.

Security awareness training

Provide comprehensive security awareness training to any individual accessing resources on the network, educating them about phishing techniques, social engineering, and best practices for securely managing accounts and sensitive information. This helps reduce the likelihood of successful phishing attempts.

Threat intelligence and monitoring

Subscribe to threat intelligence feeds and stay updated on the latest cyber-threats and attack techniques. Implement network monitoring solutions, intrusion detection systems, and SIEM tools to detect suspicious activities and potential DNS hijacking attempts.

Regular security assessments

Conduct regular security assessments, including vulnerability scans, penetration tests, and DNS configuration reviews, to identify potential weaknesses and address them proactively. 

With regular security assessments, it is very important to focus on the concept of least privilege, as defined by NIST standard SP 800-12 REV. 1. Essentially, least privilege is the practice of granting the least amount of privileges to end users that is required to accomplish the scope of their roles within a company.

Summary

DNS hijacking is a sophisticated attack technique that manipulates DNS settings to redirect Internet traffic to malicious websites, posing a significant threat to individuals and organizations. The Sea Turtle campaign exemplifies the destructive impact of DNS hijacking, which is capable of compromising organizations across the globe. 

Preventive measures like using DNSSEC, multi-factor authentication, regular patching, network segmentation, security awareness training, threat intelligence, and security assessments are essential to defend against DNS hijacking. By prioritizing DNS security, we can safeguard online activities, protect sensitive information, and uphold the integrity of the Internet.