NCSC issues warning over global DNS hijacking campaign

Warning over upsurge in DNS hijacking campaigns that redirect users to malicious websites

The National Cyber Security Centre (NCSC) has issued an advisory over a large-scale global DNS hijacking campaign.

The advisory [PDF] discusses the risks and mitigations for organisations to protect themselves from such attacks, in which threat actors change the domain name system (DNS) records of websites and redirect visitors to malicious sites instead.

DNS is the service that helps internet users navigate to a web domain by correctly pointing the web browser to an IP address.

Changing DNS records, though, not only enables cybercriminals to redirect users to malicious websites, but they can also modify the ownership details of web domains, thus making them difficult to recover.

According to a recent report by Avast, in the past one year, a large number of Brazilian users have been targeted with router attacks. The report claims that the DNS settings of more than 180,000 Brazilian routers have been modified by attackers in the first six months of 2019.

Last week, Cisco Talos also published a report on recently noticed activities from Sea Turtle, a threat group that uses DNS hijacking techniques for cyber-espionage purposes.

The NCSC had first noticed the attempts by attackers to hijack DNS earlier this year. At the time, the NCSC published an alert to warn organisations, and also revealed that the hijacking campaign had hit several government and commercial organisations worldwide.

While most of the affected entities were located in the Middle East region, some organisations were also targeted in the US and Europe.

The NCSC now says that it has observed further activities of attackers across multiple sectors and regions. The Centre is probing the attacks, but says that is not yet aware of any compromised entity in the UK.

To prevent phishing attacks, the agency recommends administrators use strong, unique passwords, and also enable multi-factor authentication, where possible.

To protect registrar accounts from account takeovers, the NCSC advises administrators to regularly check the details linked to the account.

For organisations that run their own DNS infrastructure, the agency suggests implementing strict access to computer systems hosting DNS services.

Last year, NCSC technical director Dr Ian Levy revealed that the organisation is monitoring the internet to block DDoS and other cyber attacks on the UK.

It has also weighed-in on the dispute over the use of Huawei hardware in the UK's 5G networks, arguing that the supposed risks are managable.