There are two big breaking stories about exploits involving DNS — Domain Name Service, the “phonebook of the internet.” One involves a type of spamming attack facilitated by a vulnerability in how organizations manage their internet domains, specifically at GoDaddy.
(Moral: make sure all your domains, including the “parked” ones that you bought just in case, are fully configured on your DNS host. Hopefully it goes without saying to not let them expire.)
The other big DNS story stems from a FireEye report on a global DNS hacking campaign affecting “dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.”
(Moral: use strong passwords and authentication, and don’t re-use them across different services. Be particularly careful of the password that controls your agency’s name on the internet.)
- GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains [Ars Technica] “The company responded with the following statement: After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process. We’ve identified a fix and are taking corrective action immediately.”
- Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com (Krebs on Security) “Experts warn this same weakness that let spammers hijack domains tied to GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks….”
- A Worldwide Hacking Spree Uses DNS Trickery to Nab Data (Wired) “DNS hijacking is a relatively easy way to still access internal data without ever needing to actually get inside an organization’s systems.”
- DHS issues security order after DNS hijack attacks from Iran, 6 agency domains already affected (Boing Boing) “DHS says managers need to audit DNS records for unauthorized edits, update their passwords, and turn on multi-factor authentication for all accounts through which DNS records could be altered. Agencies have two weeks to implement the directives.”
From the Ohio Web Library:
- Preimesberger, Chris. “Six Things Enterprises Should Know About Securing Their DNS.” EWeek, Jan. 2019, p. N.PAG
- Robertson, Jordan. “E-Mail Spam Goes Artisanal.” Bloomberg Businessweek, no. 4461, Feb. 2016, pp. 30–31.
- Guidry, Martin. “Overview of DNS.” Building Your Technology Skills. Lynda.com, Mar. 16, 2016.