ShadowTrackr

Log in >
RSS feed

DNS hijack detection

20 January 2019
Disclaimer: this is about the detection of a specific attack. It does not catch all DNS hijacks.

FireEye recently blogged about a Global DNS hijacking campaign and a client requested detection for this in ShadowTrackr. As of today, it's live on all accounts.

A DNS hijack happens when someone logs in to your domain registrar and changes the legitimate ip address for one of your websites to the ip address of a server they control. After this, the attacker can do all sorts of evil to your users. This ranges from simply setting up a phishing site on your domain to more complex attacks like the one that happened at Fox-IT (which is also a good example of how to handle an incident).

ShadowTrackr does log all your ip changes, which means that the exact start and end of the attack will be recorded for you. The problem is that there is no way that ShadowTrackr can know if an ip change is legitimate or not. It's not uncommon for clients with many assets to regularly have ip address changes. We would love to send you a warning instead of just logging it, but so far we didn't know how to properly detect trouble.

The specific attack fireEye and Talos blog about concerns the situation where the attacker takes over your website and consequently has to issue a new certificate for it. Chances are that this new certificate will be from a different issuer. Talos warns specifically for changes from any other issuer to Let's Encrypt. Now this is something we can work with!

When a new certificate is isued for one of your domains and it's from a different issuer than the previous certificate, ShadowTrackr will send you a warning. Also, in the certificates report you can now see if you have multiple certificates from different issuers for the same url.

So, you should all check these reports and see if the certificates found where issued by yourself or not. You should also still check unexpected ip changes, since this method of detection does not detect all hijacks. And of course, above all, use two factor authentication for your login at domain registrars!
Older posts >

Overview
Use cases
Plans and pricing
FAQ
Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI
Company
About
Contact us
Legal & Policy