The U.K. National Cyber Security Centre (NCSC) urged organizations to implement measures to mitigate the threat of DNS hijacking.

The agency published the alert after it discovered multiple attacks attempting to exploit the Domain Name System (DNS) over the last few months. One of the largest of these hijacking campaigns occurred in January, when threat actors compromised credentials to alter DNS records. This attack enabled the malefactors to redirect web traffic for commercial and government organizations worldwide, particularly those in the Middle East, to infrastructure under their control.

Following this campaign, NCSC witnessed several other attempts at DNS hijacking across multiple regions and sectors for the purpose of creating malicious DNS records, obtaining SSL certificates, conducting transparent proxying and/or hijacking domains. The tips in the agency’s report are meant to help organizations defend themselves against such attacks.

DNS Hijacking Activity Surges

NCSC’s disclosure came amid a surge of DNS hijacking activity. In November 2018, Cisco Talos detected an attack campaign in which bad actors used malware called DNSpionage to redirect traffic going to Lebanon and the United Arab Emirates (UAE) using .gov domains, as well as a Lebanese airline company.

Several months later, IXIA observed a DNS hijacking campaign that exploited consumer-grade routers to skim user input data for PayPal, Netflix, Gmail and Uber. Cisco Talos spotted the Sea Turtle threat actor updating its own hijacking campaigns with new infrastructure earlier this month, and Avast recently detected close to 200,000 hijacking attempts targeting Brazilians since February 2019.

Mitigate the Threat of DNS Hijacking

Security professionals can help defend their organizations against DNS hijacking by monitoring access to web applications and authentication logs for web traffic that could be coming from a single or small pool of web-facing IP addresses. It’s also critical to prioritize vulnerability remediation by gaining insight into all assets and components used in the network.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…