グローバルDNSハイジャックの脅威

グローバルなDNSハイジャックの脅威とは？

Tripwire、FireEye、Mandiantなどの主要なサイバーセキュリティ企業の専門家は、世界中でDNSハイジャック攻撃が非常に多く発生していることを報告しています。これらの攻撃は、中東、ヨーロッパ、北アフリカ、および北米の政府、通信、およびインターネット企業を標的としています。

Researchers have not publicly identified the sites being targeted, but have acknowledged that the number of domains which have been compromised is in the dozens. These attacks, which have been happening since at least 2017, are being used in conjunction with previously stolen credentials to direct users to fake websites designed to steal login credentials and other sensitive information.

Although no one has taken credit for these attacks, many experts believe the attacks are coming from Iran. Several of the attackers’ IP addresses have been traced back to Iran. While it’s possible that the attackers are spoofing Iranian IPs to throw off the scent, the targets of the attack also seem to point to Iran. Targets include government sites of several Middle Eastern nations, sites containing data that don’t have any financial value but would be very valuable to the government of Iran.

これらのDNSハイジャック攻撃はどのように機能しますか？

いくつかの異なる攻撃戦略が実行されていますが、攻撃の流れは次のとおりです

1. 攻撃者は、標的とするサイトのように見えるように見えるダミーサイトを作成します。
2. The attacker uses a targeted attack (such as spear phishing) to obtain login credentials to the Admin panel of the DNS* provider for the target site.
3. The attacker then goes into the DNS admin panel and changes the DNS records for the site they are targeting (this is known as DNS Hijacking), so that users trying to access the site will instead be sent to the dummy site.
4. The attacker forges a TLS encryption certificate that will convince a user’s browser that the dummy site is legitimate.
5. 疑いを持たないユーザーは、侵害/危害を受けたサイトのURLにアクセスし、ダミーサイトにリダイレクトされます。
6. その後、ユーザーはダミーサイトへのログインを試行し、攻撃者がログイン資格情報を取得します。

*The Domain Name System (DNS) is like the phonebook of the Internet. When a user types a URL, like ‘google.com’ into their browser, its records in DNS servers that direct that user to Google’s origin server. If those DNS records are tampered with, users can end up somewhere they didn’t expect.

DNSハイジャック攻撃をどのように防止することができますか？

個々のユーザーには、これらの種類の攻撃で資格情報を失うことから自分を保護するためにできることは多くありません。ダミーサイトを作成するときに攻撃者が十分に徹底している場合、高度な技術を持つユーザーであっても違いを見つけることは非常に困難です。

One way to mitigate these attacks would be for DNS providers to beef up their authentication, taking measures such as requiring 2-factor authentication, which would make it dramatically more difficult for attackers to access DNS admin panels. Browsers could also update their security rules, for example scrutinizing the source of TLS certificates to ensure that they originate from a source that conforms with the domain they are being used on.