The Internet Corporation for Assigned Names and Numbers, also known as an ICANN, issued a warning about the ongoing problems facing the DNS infrastructure, according to an advisory published on Friday last week (Feb.22nd).
It said it “believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure” and has urged all domain owners and services to fully adopt Domain Name System Security Extensions (DNSSEC) across all unsecured domain names.
DNSSEC is a mechanism that involves the use of digital signatures to enable servers to authenticate and verify the integrity of DNS responses to queries.
DNSSEC cryptographically guarantees that the response to a DNS query has not been changed or spoofed.
DNS highjacking attacks
As ICANN notes in their report, DNSSEC would have prevented the DNS hijacking attacks over the last couple of months.
In January, security researchers at FireEye revealed a months-long campaign conducted by Iranian cyber-attackers who hacked into the web hosting and domain registrar in order to alter the DNS records of email domains belonging to governments, telecommunications, and internet infrastructure entities across the Middle East and North Africa, Europe and North America.
Moreover, they explained that the attack was designed in such a way that it allowed hackers to re-route users from a legitimate web address to a malicious server, where they were able to intercept login credentials and forward the traffic back to the legitimate email servers.
The US Department of Homeland Security issued an alert about the recent cyber-attacks, urging government entities to review and proactively check their DNS records for any malicious activity.
In another report, infosec investigative journalist, Brian Krebs, also referred to the DNS hijacking detected by FireEye last month. In the report, he said that hackers have realised it’s a lot easier to change DNS records rather than hack email servers or spear-phish credentials from employees.
ICANN is now calling for the full deployment of DNSECC across all domains in order to stop and prevent future DNS hijacking attacks.