Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNS servers hijacked in the Netherlands - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS servers hijacked in the Netherlands
Earlier this week reports started to appear that the DNS of several webhosting companies in the Netherlands had been hijacked and those using the services were being redirected to malware sites, notably blackhole. 
 
According to the notification by the provider (http://noc.digitalus.nl/dashboard/136/Storing-DNS-servers) requests were being forwarded to external name servers. The issue was picked up relatively quickly. According to Digitalus and other reports SIDN, the Foundation for Internet Domain Registration in the Netherlands suffered a breach which affected the domain name registration systems.  The change was made at 0330 and the zone fully recovered by 0800, but that did mean that those who had already erroneously resolved the malicious domains would retain those records for a typical 24 hours. Whilst the provider is still investigating, at the moment there is no additional information available. It is not yet clear how the initial change was made.  the result however is still being felt by a number of their customers.  
 
Webstekker was another organisation affected by the same issue, however their notificatino states that the issue lies at VD (http://www.webstekker.nl/over-ons/nieuws/2013/augustus/19/berichtgeving-dns-redirect-onjuist - In Dutch). VDS, the third party points the finger at SIDN.  Interestingly SIDN states that it is an "annoying issue" and they are working with the registrars to identify the cause.  (https://www.sidn.nl/nieuws/nieuwsbericht/article/sidn-ondersteunt-onderzoek-naar-incident-bij-een-van-haar-registrars/ - In Dutch). 
 
FOX-IT wrote up an analysis of the resulting attack here http://blog.fox-it.com/2013/08/05/dns-takeover-redirects-thousands-of-websites-to-malware/
 
Looking through some other articles it looks like SIDN identified a possible breach back in July (https://www.sidn.nl/en/news/news/article/preventieve-maatregelen-genomen-2/ - In Dutch)  Whilst contained, in my view based on the incident this week, I'm guessing that the whole issue may not have been identified at the time and addressed. DNS.be had a similar defacement issue on their site at about the same time, however their front end systems do not have access to backend systems, according to their notification (http://www.dns.be/en/news/recent_news/deface-hack-on-dnsbe-website2#.UgLiRD7bprh). 
 
These issues show that attackers are not shy about going after the critical infrastrucutre components on the net. Something we all need to keep in mind. 
 
Mark H
Mark

391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!