NetFort Advertising

DNSpionage. A DNS Server Hijacking Attack

Monitoring DNS requests so as to detect DNSpionage attacks

What is DNSpionage?

Late last year, Cisco Talos discovered a DNS hijacking attack targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

How can you detect the presence DNSpionage activity on your network?

Earlier this year, security firm CrowdStrike published a blog post listing IP addresses and domain names known to be used by the espionage campaign to date. If you want to check for the presence of DNSpionage activity on your network, you should monitor network traffic at your networks perimeter and watch out for any activity associated with the IP addresses or domains.

IP Address List

142.54.179.69,89.163.206.26,185.15.247.140,146.185.143.158,128.199.50.175,185.20.187.8,82.196.8.43,188.166.119.57,206.221.184.133,37.139.11.155,199.247.3.191,185.161.209.147,139.162.144.139,37.139.11.155,178.62.218.244,139.59.134.216,82.196.11.127,46.101.250.202

Domain List

cloudipnameserver.com|cloudnamedns.com|lcjcomputing.com|mmfasi.com|interaland.com

Using LANGuardian to detect DNSpionage activity

Our LANGuardian product includes both a network traffic analysis module which can capture IP addresses and a DNS decoder to extract metadata from DNS queries. You just need to monitor network traffic going to and from your Internet gateways to gain visibility into what is happening and root out any suspicious activity.

Once you have LANGuardian deployed, you need to check two reports for DNSpionage activity.

Check applications report for any traffic associated with the IP addresses connected to the espionage campaign.

  1. Log onto your LANGuardian and click on All Reports / Applications in Use
  2. Enter the IP range listed above into the Source or Destination IP/Subnet report filter
  3. Run report
  4. Optionally you can save this as a custom report by clicking on Actions / Save As

You should not see any results in the report when you run it. If you do, you need to check the systems on your network that are communicating with the IP addresses. The image below shows the report output from my lab network, no results returned which is what you are aiming for. Click on this image to access this report on our online demo.

A traffic report which is checking for any IP addresses associated with the DNSpionage attack

Check DNS queries for any lookups associated with the domains connected to the espionage campaign.

  1. Log onto your LANGuardian and type DNS Lookups into the search box top center. Select the report Network Events (DNS Lookups)
  2. Enter the domain list shown above into the Domain report filter. Select Matches regexp from the dropdown
  3. Run report
  4. Optionally you can save this as a custom report by clicking on Actions / Save As

You should not see any results in the report when you run it. If you do, you need to check the systems on your network that are trying to resolve one or more domains from the list. The image below shows the report output from my lab network. I do show some activity and I will need to do further analysis of the local client 10.1.1.159.

A report showing DNS lookups associated with the DNSpionage attack

How to monitor network traffic going to and from the Internet.

The video below shows the steps needed to get traffic monitoring in place so that you can check for DNSpionage activity on your network

Click here to see a list of other DNS posts on our blog.

https://www.netfort.com/search/dns