Over the past few months we have been monitoring a large number of DNS manipulation attacks. One of the features of our sensor is to detect fast fluxing and changes to the DNS name resolution over time. Over the last several months we have been observing several DNS attacks at large and small companies. Several servers that are hosted on AWS and OVH hosting have been identified that appear to be part of the campaign. We are more interested in the redirection from legitimate websites host that are proxying (and presumably sniffing traffic) to and from these websites.
Last week a customer owned sensor identified 2 instances where the TTL of a popular domain was changed from 7200 down to 30 seconds. These low time to live values make it easier for attackers to quickly redirect a host through an intermediary. A look at cached DNS TTL values also shows that this activity has been occurring since 2016 on the host that Jigsaw Security is tracking.
Continued attacks are also being seen from other countries in coordinated and highly effective efforts to steal credentials.
Heuristic Detection Module
As you may be aware, Jigsaw Security's FirstWatch sensor includes a Heuristic Detection module that looks for these types of attacks. A review of historical logging shows that this activity started occurring more frequently in February of 2016 and targets can be determined fairly easily. In particular, several open and popular networks that are provided to retail customers have also been affected. It is believed that this method is being used to harvest credentials to sensitive websites while users are shopping, visiting coffee shops and wireless networks with popular SSID's in busy locations such as train stations and public venues.
This same method is also be utilized for cellular networks whereas unauthorized pico and micro cells are being brought online in popular locations.
Suggestions to Mitigate this Issue
One of the methods that Jigsaw Security has employed on our customer networks is always on VPN for mobile devices and laptops. This ensures that mobile devices or devices that are used out of the office are being forced to use your authorized DNS servers where the FirstWatch sensors have visibility into what is occurring.
Another module we have provided detects when DNS entries for critical services change and notify the security team that tampering may be occurring.