What You Don’t See Can Hurt You

In general, technology covers up a lot of the complexity in things that we take for granted. As an example, consider a cell phone call. You dial a number, wait a few seconds and you are either connected to a person or their voicemail. In the background, many things have happened. Your phone has sent out a relatively low power signal to the nearest cell tower (base transceiver station or BST) requesting a connection. It uses one frequency to transmit and a different one to receive. The BST then connects to a mobile switching center (MSC) that checks to see if the caller has a valid account to make a call. If the caller is using a prepaid service, the account is checked to make sure there is enough account credit to call. If all is well, the call is routed to the rest of the call infrastructure to get to the destination. That part of the process will vary somewhat depending on whether you are calling a cell phone, a landline or making an international call.

How DNS Works

As you can see, there are many steps and components involved, almost all of them out of your control. Connecting to a web page is very much the same. When you type a URL into your browser, a series of conversations begin. You can’t really get to a web page with a description like www(.)google.com. You need the numerical address of that web page. If your computer has been there before, it may still have that address stored, but if not it needs to ask another source for it. The first stop is the DNS (Domain Name System) server that is configured in your computer. It may be your router or a server specified by your ISP or a server you configured. If this first source does not know the address, it asks another source that is further up the hierarchy of DNS servers. This request gets passed up and up the chain until someone can answer it and then the answer is sent back down the chain to your computer. On my computer, the address for www(.)google.com came back as 172.217.12.36. So once your computer has that, it sends out a broadcast request that in essence asks “Who owns 172.217.12.36?”. This starts a new series of conversations between routers asking for the location of the web page. Eventually, the answer is found, passed back to your computer, the request is sent to the appropriate address, and you get your web page. Once again, a lot happens you don’t see and that is totally out of your control.
DNS is essentially the address book for the internet and like any other address book you might use, we trust that once data is there, it is accurate. What if it wasn’t? DNS hijacking is similar to someone getting possession of your address book and changing the information. This article discusses an attack campaign innocuously called Sea Turtle.

“CISA said that attackers have managed to intercept and redirect web and mail traffic and could target other networked services. The agency said the attacks start with compromising user credentials of an account that can make changes to DNS records. Then the attacker alters DNS records, like Address, Mail Exchanger, or Name Server records, replacing the legitimate address of the services with an address the attacker controls.”

How did this happen?

“The Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails.”

What was the result? The bad actors were able to gain control of accounts that could change DNS entries for an organization and direct people to servers controlled by the bad actors. Using stolen certificates they are able to present a false web page that is indistinguishable from the legitimate one, down to the URL.

When doing security awareness training, I always stress closely examining the URL before clicking on it. In this case, that may not work if the bad guys have managed to steal the legitimate certificate. At present “ this incident is limited to targeting primarily national security organizations in the Middle East and North Africa,” but there is no reason to expect that to remain true forever.

Be Alert, Patch Your Systems

Let’s go back to how this happened. The article cited spear-phishing emails and known vulnerabilities as main avenues of compromise. Once again, prevention comes down to some basic tactics. Make sure your people are on the watch for phishing emails. Spear-phishing emails are crafted with the individual in mind, usually an executive because they may be less observant due to a large workload. Training can help overcome that. Known vulnerabilities are weaknesses that have been published and for which patches exist. The responsibility lies with your organization to get the patches applied. This needs to be done, especially when security issues are involved.  If bad actors compromise DNS servers and start rerouting traffic on a large scale, we will all have a big problem to deal with. For now, we can help by not contributing to the problem. Do what you can, by training and by patching, and keep your piece of the internet secure.