Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Cisco Cloud Web Security DNS Hijack - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco Cloud Web Security DNS Hijack

We have received a report that a domain critical in delivering the Cisco Cloud Web Security product had for a while earlier today been hijacked. The report indicates that the DNS entryies for scansafe.net were hijacked and pointed to 208.91.197.132, a site which both VirusTotal and Web of Trust indicate has a reputation for delivering malware. 

Guidance that has been provided to customers is that the issue has been resolved but that the TTL on the DNS entries are 48 hours so it will take a while for caches to clear.  In the meantime customers should should use the IP, not the FQDN to access the site.

If anyone has any further details please pass them our way.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

290 Posts
ISC Handler
It's not clear that things have been repaired.

As of 17:00 PST 12 Nov (01:00 CUT 13 Nov), dig is still showing the
suspect IP -- although with a 300 sec TTL (see below):

dig @ns4.mailround.com scansafe.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @ns4.mailround.com scansafe.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19078
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;scansafe.net. IN A

;; ANSWER SECTION:
scansafe.net. 300 IN A 208.91.197.132

;; Query time: 47 msec
;; SERVER: 208.91.197.132#53(208.91.197.132)
;; WHEN: Thu Nov 12 17:08:41 2015
;; MSG SIZE rcvd: 46



GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 171.66.213.195... ok.

Checking server [whois.crsnic.net]

Checking server [whois.totalregistrations.com]
Results:
Domain: scansafe.net
Registry Domain ID: 100077482_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.totalregistrations.com
Registrar URL: http://www.totalregistrations.com
Registrar Registration Expiration Date: 2016-07-04T00:00:00Z
Registrar: Total Registrations
Registrar IANA ID: 131
Registrar Abuse Contact Email: abuse@totalregistrations.com
Registrar Abuse Contact Phone: +44.8448475838
Reseller:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Created Date: 2003-07-04T17:45:00Z
Updated Date: 2015-06-30T23:13:00Z
Registry Registrant ID:
Registrant Name: CISCO TECHNOLOGY, INC.
Registrant Organization: INFO SEC
Registrant Street: 170 W. TASMAN DRIVE
Registrant City: SAN JOSE
Registrant State/Province: CA
Registrant Postal Code: 95134
Registrant Country: US
Registrant Phone: +1.4085273842
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: INFOSEC@CISCO.COM
Admin Contact:
Admin Organization: Cisco Systems, Inc.
Admin Name: Nitin Thakur
Admin Street: 5th Floor Qube
Admin Street: 90 Whitfield Street
Admin City: London
Admin State/Province: London
Admin Postal Code: W1T 4EZ
Admin Country: GB
Admin Phone: +44.2070349300
Admin Phone Ext:
Admin Fax: +44.2070349301
Admin Fax Ext:
Admin Email: ops@scansafe.com
Tech Contact:
Tech Organization: Scansafe Ltd
Tech Name: Jim Walker
Tech Street: 5th Floor Qube
Tech Street: 90 Whitfield Street
Tech City: London
Tech State/Province: London
Tech Postal Code: W1T 4EZ
Tech Country: GB
Tech Phone: +44.2070349300
Tech Phone Ext:
Tech Fax: +44.2070349301
Tech Fax Ext:
Tech Email: ops@scansafe.com
Name Server: ns5.mailround.com
Name Server: ns4.mailround.com
Name Server: ns0.mailround.com
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
&gt;&gt;&gt; Last update of WHOIS database: 2015-11-13T01:07:37Z &lt;&lt;&lt;

For more information on Whois status codes, please visit https://icann.org/epp
The Data in TotalRegistrations&#39; WHOIS database is provided by
TotalRegistrations for information purposes and to assist persons
in obtaining information about or related to a domain name
registration record. TotalRegistrations does not guarantee its
accuracy. By submitting a WHOIS query, you agree that you will
use this Data only for lawful purposes and that, under no
circumstances will you use this Data to: (1) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or (2)
enable high volume, automated, electronic processes that apply to
TotalRegistrations (or its systems). TotalRegistrations reserves
the right to modify these terms at any time. By submitting this
query, you agree to abide by this policy

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (171.66.213.195) has visited 1 times today.
JAG

2 Posts
We got this status message yesterday (to the large mailing list). Not sure if it is related to the other hostile DNS takeover yesterday. But they surely did have major issues.

CWS Alert: Core Service Degradation 12 November 2015

Dear Cloud Web Security Customer,

This is a notice to advise Cloud Web Security customers that we are currently experiencing an issue where customers are unable to visit any websites via any tower resulting in a DNS failure. We are working on a resolution, and will provide you with an update as soon as we have further details.

The only work around at this time is to disable the Cloud Web Security service until service is restored.



Affected Region(s)
All

Affected Proxies
All



Should you require any assistance, please contact your local Cloud Web Security Support Team.

Best Regards,
Product Support
Cloud Web Security
Povl H.

71 Posts
Just an update.

We got a RCA from Cisco.
The issue was, that the Scansafe domain had expired, and the provider pointed it to the malware injecting proxy aka Parking Site. So no breach of security took place at Cisco.

So cisco defines, that an expired domain, pointing to a 3rd party site by the registrar is NOT a security breach, no matter what the 3rd party inserts.
Povl H.

71 Posts
Quoting JAG:It's not clear that things have been repaired.

As of 17:00 PST 12 Nov (01:00 CUT 13 Nov), dig is still showing the
suspect IP -- although with a 300 sec TTL (see below):

dig @ns4.mailround.com scansafe.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @ns4.mailround.com scansafe.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19078
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;scansafe.net. IN A

;; ANSWER SECTION:
scansafe.net. 300 IN A 208.91.197.132

;; Query time: 47 msec
;; SERVER: 208.91.197.132#53(208.91.197.132)
;; WHEN: Thu Nov 12 17:08:41 2015
;; MSG SIZE rcvd: 46



GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 171.66.213.195... ok.

Checking server [whois.crsnic.net]

Checking server [whois.totalregistrations.com]
Results:
Domain: scansafe.net
Registry Domain ID: 100077482_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.totalregistrations.com
Registrar URL: http://www.totalregistrations.com
Registrar Registration Expiration Date: 2016-07-04T00:00:00Z
Registrar: Total Registrations
Registrar IANA ID: 131
Registrar Abuse Contact Email: abuse@totalregistrations.com
Registrar Abuse Contact Phone: +44.8448475838
Reseller:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Created Date: 2003-07-04T17:45:00Z
Updated Date: 2015-06-30T23:13:00Z
Registry Registrant ID:
Registrant Name: CISCO TECHNOLOGY, INC.
Registrant Organization: INFO SEC
Registrant Street: 170 W. TASMAN DRIVE
Registrant City: SAN JOSE
Registrant State/Province: CA
Registrant Postal Code: 95134
Registrant Country: US
Registrant Phone: +1.4085273842
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: INFOSEC@CISCO.COM
Admin Contact:
Admin Organization: Cisco Systems, Inc.
Admin Name: Nitin Thakur
Admin Street: 5th Floor Qube
Admin Street: 90 Whitfield Street
Admin City: London
Admin State/Province: London
Admin Postal Code: W1T 4EZ
Admin Country: GB
Admin Phone: +44.2070349300
Admin Phone Ext:
Admin Fax: +44.2070349301
Admin Fax Ext:
Admin Email: ops@scansafe.com
Tech Contact:
Tech Organization: Scansafe Ltd
Tech Name: Jim Walker
Tech Street: 5th Floor Qube
Tech Street: 90 Whitfield Street
Tech City: London
Tech State/Province: London
Tech Postal Code: W1T 4EZ
Tech Country: GB
Tech Phone: +44.2070349300
Tech Phone Ext:
Tech Fax: +44.2070349301
Tech Fax Ext:
Tech Email: ops@scansafe.com
Name Server: ns5.mailround.com
Name Server: ns4.mailround.com
Name Server: ns0.mailround.com
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-11-13T01:07:37Z <<<

For more information on Whois status codes, please visit https://icann.org/epp
The Data in TotalRegistrations' WHOIS database is provided by
TotalRegistrations for information purposes and to assist persons
in obtaining information about or related to a domain name
registration record. TotalRegistrations does not guarantee its
accuracy. By submitting a WHOIS query, you agree that you will
use this Data only for lawful purposes and that, under no
circumstances will you use this Data to: (1) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or (2)
enable high volume, automated, electronic processes that apply to
TotalRegistrations (or its systems). TotalRegistrations reserves
the right to modify these terms at any time. By submitting this
query, you agree to abide by this policy

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (171.66.213.195) has visited 1 times today.
Revilo

4 Posts
Quoting Povl H.:Just an update.

We got a RCA from Cisco.
The issue was, that the Scansafe domain had expired, and the provider pointed it to the malware injecting proxy aka Parking Site. So no breach of security took place at Cisco.

So cisco defines, that an expired domain, pointing to a 3rd party site by the registrar is NOT a security breach, no matter what the 3rd party inserts.
Revilo

4 Posts
Quoting JAG:It's not clear that things have been repaired.

As of 17:00 PST 12 Nov (01:00 CUT 13 Nov), dig is still showing the
suspect IP -- although with a 300 sec TTL (see below):

dig @ns4.mailround.com scansafe.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @ns4.mailround.com scansafe.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19078
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;scansafe.net. IN A

;; ANSWER SECTION:
scansafe.net. 300 IN A 208.91.197.132

;; Query time: 47 msec
;; SERVER: 208.91.197.132#53(208.91.197.132)
;; WHEN: Thu Nov 12 17:08:41 2015
;; MSG SIZE rcvd: 46



GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 171.66.213.195... ok.

Checking server [whois.crsnic.net]

Checking server [whois.totalregistrations.com]
Results:
Domain: scansafe.net
Registry Domain ID: 100077482_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.totalregistrations.com
Registrar URL: http://www.totalregistrations.com
Registrar Registration Expiration Date: 2016-07-04T00:00:00Z
Registrar: Total Registrations
Registrar IANA ID: 131
Registrar Abuse Contact Email: abuse@totalregistrations.com
Registrar Abuse Contact Phone: +44.8448475838
Reseller:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Created Date: 2003-07-04T17:45:00Z
Updated Date: 2015-06-30T23:13:00Z
Registry Registrant ID:
Registrant Name: CISCO TECHNOLOGY, INC.
Registrant Organization: INFO SEC
Registrant Street: 170 W. TASMAN DRIVE
Registrant City: SAN JOSE
Registrant State/Province: CA
Registrant Postal Code: 95134
Registrant Country: US
Registrant Phone: +1.4085273842
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: INFOSEC@CISCO.COM
Admin Contact:
Admin Organization: Cisco Systems, Inc.
Admin Name: Nitin Thakur
Admin Street: 5th Floor Qube
Admin Street: 90 Whitfield Street
Admin City: London
Admin State/Province: London
Admin Postal Code: W1T 4EZ
Admin Country: GB
Admin Phone: +44.2070349300
Admin Phone Ext:
Admin Fax: +44.2070349301
Admin Fax Ext:
Admin Email: ops@scansafe.com
Tech Contact:
Tech Organization: Scansafe Ltd
Tech Name: Jim Walker
Tech Street: 5th Floor Qube
Tech Street: 90 Whitfield Street
Tech City: London
Tech State/Province: London
Tech Postal Code: W1T 4EZ
Tech Country: GB
Tech Phone: +44.2070349300
Tech Phone Ext:
Tech Fax: +44.2070349301
Tech Fax Ext:
Tech Email: ops@scansafe.com
Name Server: ns5.mailround.com
Name Server: ns4.mailround.com
Name Server: ns0.mailround.com
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-11-13T01:07:37Z <<<

For more information on Whois status codes, please visit https://icann.org/epp
The Data in TotalRegistrations' WHOIS database is provided by
TotalRegistrations for information purposes and to assist persons
in obtaining information about or related to a domain name
registration record. TotalRegistrations does not guarantee its
accuracy. By submitting a WHOIS query, you agree that you will
use this Data only for lawful purposes and that, under no
circumstances will you use this Data to: (1) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or (2)
enable high volume, automated, electronic processes that apply to
TotalRegistrations (or its systems). TotalRegistrations reserves
the right to modify these terms at any time. By submitting this
query, you agree to abide by this policy

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (171.66.213.195) has visited 1 times today.
Revilo

4 Posts
I am part of the Cloud Web Security (CWS) team at Cisco.

CWS customers did face DNS resolution failures on November 12 which was quickly detected by our DC operations team and resolved within couple of hours.

There was no DNS hijack or compromise of the CWS service in any way. The underlying domain expiration caused a redirect of the scansafe.com and scansafe.net domain requests to a parking IP address resulting in a temporary loss of connectivity for some customers. At no point was customer traffic redirected to third parties, and at no point was customer data or web traffic hijacked.

We shared details of this issue privately with our customers and have already taken remedial steps to prevent such an incident from occurring again.

regards
Cloud Web Security team
Revilo
1 Posts

Sign Up for Free or Log In to start participating in the conversation!