A recent report from Palo Alto Networks Unit 42 exposes the persistent and evolving threat of DNS hijacking, a stealth tactic used by cybercriminals to redirect Internet traffic. Leveraging passive DNS scanning, the cybersecurity company also provided real-world examples of recent DNS hijacking attacks, highlighting the urgency of countering this hidden danger.

What is DNS hijacking?

DNS hijacking involves changing the responses of targeted DNS servers, redirecting users to servers controlled by attackers instead of the legitimate ones they wish to reach.

DNS hijacking can be done in several ways:

• Take control of the domain owner’s account, giving access to DNS server settings: In this scenario, the attacker has valid user credentials with the power to directly modify the DNS server configuration. The attacker could also have valid credentials for the domain registrar or DNS service provider and modify the configuration.
• DNS cache poisoning: The attacker impersonates a DNS name server and forges a response, leading to content controlled by the attacker instead of legitimate content.
• Man in the Middle Attack: The attacker intercepts the user’s DNS queries and provides results that redirect the victim to content controlled by the attacker. This only works if the attacker controls a system involved in the DNS query/response process.
• Modifying DNS-related system files, like the host file in Microsoft Windows systems. If the attacker has access to this local file, it is possible to redirect the user to content controlled by the attacker.

Attackers commonly use DNS hijacking to redirect users to phishing websites that look like the intended websites or to infect users with malware.

DNS Hijack Detection with Passive DNS

The Unit 42 report describes a method for detecting DNS hijacking through passive DNS scanning.

What is passive DNS?

Passive DNS describes terabytes of historical DNS queries. In addition to the domain name and DNS record type, passive DNS records typically contain a “first seen” and “last seen” timestamp. These records allow users to trace the IP addresses that a domain has directed users to over time.

For an entry to appear in passive DNS, it must be queried by a system whose DNS queries are recorded by passive DNS systems. That’s why the most comprehensive passive DNS information typically comes from providers with high query volumes, such as ISPs or companies with large customer bases. It is often advisable to subscribe to a passive DNS provider because they collect more DNS queries than the average company, providing a more comprehensive view than just local DNS queries.

SEE: Everything you need to know about the cybersecurity threat of malicious ads (Prime TechRepublic)

DNS Hijack Detection

Palo Alto Network’s method for detecting DNS hijacking begins by identifying unseen DNS records, because attackers often create new records to redirect users. Unpublished domain names are excluded from detection because they do not have sufficient historical information. Invalid records are also deleted at this stage.

DNS records are then analyzed using passive DNS and geolocation data based on 74 features. According to the report, “certain features compare the historical usage of the new IP address to the old IP address of the domain name in the new registration.” The goal is to detect anomalies that could indicate a DNS hijacking operation. A machine learning model then provides a probability score based on the analysis.

WHOIS records are also checked to prevent a domain from being re-registered, which usually results in a complete IP address change that could be detected as a DNS hijack.

Finally, active navigations are performed on the IP addresses and HTTPS certificates of the domains. Identical results indicate false positives and therefore can be excluded from DNS hijacking operations.

DNS Hijacking Statistics

From March 27 to September 21, 2024, researchers processed 29 billion new records, of which 6,729 were flagged as DNS hijacking. This resulted in an average of 38 DNS hijacking records per day.

Unit 42 says cybercriminals have hijacked domains to host phishing content, deface websites, or distribute illicit content.

DNS hijacking: concrete examples

Unit 42 has witnessed several cases of DNS hijacking, primarily for cybercrime purposes. But it is also possible to use DNS hijacking for cyber espionage purposes.

Hungarian political party leads to phishing

One of the largest political opposition groups to the Hungarian government, the Democratic Coalition (DK), has been hosted on the same IP address subnet in Slovakia since 2017. In January 2024, researchers detected a change on the DK website, which suddenly resolved to a new German IP address, leading to a Microsoft login page instead of the political party’s usual news page.

A degraded American company

In May 2024, two domains of a major American utility management company were hacked. The FTP service, which has been leading to the same IP address since 2014, has suddenly changed. The DNS name server was hijacked using the ns1.csit-host.com controlled by the attacker.

According to the study, the attackers also used the same nameservers to hack other websites in 2017 and 2023. The aim of the operation was to show a defaced page of an activist group.

How businesses can protect themselves from this threat

To protect against these threats, the report suggests that organizations:

• Deploy multi-factor authentication to access their DNS registrar accounts. Whitelisting IP addresses allowed to access DNS settings is also a good idea.
• Take advantage of a DNS registrar that supports DNSSEC. This protocol adds a layer of security by digitally signing DNS communications, making it more difficult for malicious actors to intercept and spoof data.
• Use networking tools that compare DNS query results from third-party DNS servers, such as those of ISPs, to DNS query results obtained when using the company’s regular DNS server. A mismatch could indicate a change in DNS settings, which could be a DNS hijacking attack.

Additionally, all hardware, such as routers, should have up-to-date firmware, and all software should be up-to-date and patched to avoid being compromised by common vulnerabilities.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.