751 Domains Hijacked to Redirect Traffic to Exploit Kits

Share this…

On July 7, French domain registrar Gandi lost control over 751 customer domains, which had their DNS records altered to point incoming traffic to websites hosting exploits kits.

The domain hijacking was active for only a few hours, between 12:50 UTC and 13:30 UTC, albeit the DNS records of some domains propagated slower and they still redirected user traffic up until 18:02 UTC.

Attacker obtained one of Gandi’s passwords

In a report detailing the incident, Gandi’s staff say the hijack was possible because an attacker was able to get their hands on one of the passwords for a backend provided by one of Gandi’s technical partners.

The compromised credentials allowed Gandhi’s staff and other automated systems to connect to a backend and manage DNS details for 34 TLD extensions. The full list of affected TLDs includes:
.ASIA, .AT, .AU, .CAT, .CH, .CM, .CZ, .ES, .GR, .HK, .IM, .IT, .JP, .LA, .LI, .LT, .LV, .MG, .MS, .MU, .NL, .NU, .NZ, .PE, .PH, .PL, .RO, .RU, .SE, .SH, .SI, .SX, .UA, .XN–P1AI (.рф).

Gandi was adamant that they didn’t suffer a breach, and suspect that the technical partner was to blame.

“We strongly suspect they were obtained from an insecure connection to our technical partner’s web portal,” the Gandi team said, “the web platform in question allows access via http.”

Traffic redirected to exploit kits. Email traffic left alone.

Swiss cyber security firm SCRT was one of the affected entities, whose domains were hijacked by the attacker. According to its own report, traffic from its domain was redirected to exploits kits. A report from SWITCH, the national domain registrar for Switzerland and Liechtenstein, hijacked traffic reached servers hosting the Neutrino and RIG exploit kits.

The attacker(s) also hijacked email DNS MX and SPF records. SCRT and Gandi say the attacker never set up servers to intercept any email messages. The domain hijacking event also broke incoming HTTPS traffic to the affected domains.

Following the incident, Gandi reset all passwords for all the accounts it uses to manage TLD entries at country and domain-specific registrars.

Last week, a security researcher discovered that he could have hijacked all .IO domains just by registering a crucial .IO domain.

In April, security researchers from Kaspersky revealed that on October 22, 2016, an unknown attacker had hijacked the DNS records for a Brazilian bank’s entire domains in order to steal login credentials from its customers.