A recent report from Palo Alto Networks’ Unit 42 exposes the persistent and evolving threat of DNS hijacking, a sneaky tactic cybercriminals use to redirect Internet traffic. Using passive DNS analysis, the cybersecurity company also provided real-world examples of recent DNS hijacking attacks – highlighting the urgency to counter this hidden danger.

What is DNS Hijacking?

DNS hijacking involves altering responses from targeted DNS servers, redirecting users to attacker-controlled servers instead of the legitimate ones they intend to reach.

DNS hijacking can be done in several ways:

• Gain control over the domain owner’s account by providing access to DNS server settings: In this scenario, the attacker possesses valid user credentials with the authority to directly change the DNS server configuration. The attacker could also have valid credentials to the domain registrar or DNS service provider and change the configuration.
• DNS cache poisoning: The attacker impersonates a DNS name server and spoofs a response, resulting in attacker-controlled content instead of legitimate content.
• Man in the Middle Attack: The attacker intercepts the user’s DNS queries and provides results that redirect the victim to content controlled by the attacker. This only works if the attacker has control over a system involved in the DNS query/response process.
• Modifying DNS-related system files, such as host file in Microsoft Windows systems. If the attacker has access to that local file, it is possible to redirect the user to content controlled by the attacker.

Attackers generally use DNS hijacking to redirect users to phishing websites that look similar to websites intended or intended to infect users with malware.

DNS hijack detection with passive DNS

Unit 42’s report described a method for detecting DNS hijacking through passive DNS analysis.

What is Passive DNS?

Passive DNS describes terabytes of historical DNS queries. In addition to the domain name and DNS record type, passive DNS records generally contain a “first seen” and “last seen” timestamp. These records allow users to track the IP addresses to which a domain has directed users over time.

For an entry to appear in passive DNS, it must be queried by a system whose DNS queries are recorded by passive DNS systems. This is why the most comprehensive passive DNS information generally comes from providers with high query volumes, such as ISPs or companies with large customer bases. Subscribing to a passive DNS provider is often advisable, as they collect more DNS queries than a typical company, providing a more complete view than local DNS queries.

SEE: Everything you need to know about the cyber security threat of malvertising (TechRepublic Premium)

DNS hijack detection

Palo Alto Network’s method for detecting DNS hijacking begins by identifying previously unseen DNS records, as attackers often create new records to redirect users. Never-before-seen domain names are excluded from detection because they lack sufficient historical information. Invalid records are also removed at this step.

DNS records are then analyzed using passive DNS and geolocation data based on 74 features. According to the report, “some features compare the historical usage of the new IP address to the old IP address of the domain name in the new registration.” The goal is to detect anomalies that could indicate a DNS hijacking operation. A machine learning model then provides a probability score based on the analysis.

WHOIS records are also checked to prevent re-registration of a domain, which generally results in a complete change of IP address that could be detected as a DNS hijack.

Finally, active browsing is done on domains’ IP addresses and HTTPS certificates. Identical results indicate false positives and can therefore be excluded from DNS hijacking operations.

Statistics about DNS hijacking

Between March 27 and September 21, 2024, researchers processed 29 billion new records, of which 6,729 were flagged as DNS hijacks. This resulted in an average of 38 DNS hijacking records per day.

Unit 42 indicates that cybercriminals have hijacked domains to host phishing content, deface websites, or spread illegal content.

DNS Hijacking: Real World Examples

Unit 42 has seen several cases of DNS hijacking in the wild, mostly for cybercrime purposes. However, it is possible to use DNS hijacking for cyber espionage.

Hungarian political party leads to phishing

One of the largest political opposition groups to the Hungarian government, the Democratic Coalition (DK), has been hosted on the same subnet of Slovakian IP addresses since 2017. In January 2024, researchers detected a change to the DK website, which he suddenly resolved. to a new German IP address, which leads to a Microsoft login page instead of the usual political party news page.

The American company misrepresented

In May 2024, two domains of a US utility management company were hijacked. The FTP service, which has been leading to the same IP address since 2014, has suddenly changed. The DNS name server was hijacked using attacker-controlled ns1.csit-host.com.

According to the research, the attackers also used the same name servers to hijack other websites in 2017 and 2023. The purpose of the operation was to show a defaced page from an activist group.

How can businesses protect themselves from this threat?

To protect against these threats, the report suggested that organizations:

• Implement multi-factor authentication to access their DNS registrar accounts. Whitelisting IP addresses with access to DNS settings is also a good idea.
• Use a DNS registrar that supports it DNSSEC. This protocol adds a layer of security by digitally signing DNS communications, making it more difficult for threat actors to intercept and falsify data.
• Use network tools that compare the results of DNS queries from third-party DNS servers – such as those from ISPs – with the results of DNS queries obtained when using your company’s regular DNS server. A mismatch could indicate a change in DNS settings, which could be a DNS hijacking attack.

Additionally, all hardware such as routers must have updated firmware and all software must be updated and patched to avoid compromising common vulnerabilities.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.