https://arstechnica.com/information-technology/2019/04/state-sponsored-domain-hijacking-op-targets-40-organizations-in-13-countries/
By Dan Goodin
Ars Technica
4/17/2019
The wave of domain hijacking attacks besetting the Internet over the past few
months is worse than previously thought, according to a new report that says
state-sponsored actors have continued to brazenly target key infrastructure
despite growing awareness of the operation.
The report was published Wednesday by Cisco’s Talos security group. It
indicates that three weeks ago, the highjacking campaign targeted the domain of
Sweden-based consulting firm Cafax. Cafax’s only listed consultant is
Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS
provider. Netnod is also the operator of i.root, one of the Internet’s
foundational 13 DNS root servers. Liman is listed as being responsible for the
i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in
December and January in a campaign aimed at capturing credentials. The Cisco
report assessed with high confidence that Cafax was targeted in an attempt to
re-establish access to Netnod infrastructure.
Reverse DNS records show that in late March nsd.cafax.com resolved to a
malicious IP address controlled by the attackers. NSD is often used to
abbreviate name server demon, an open-source app for managing DNS servers. It
looks unlikely that the attackers succeeded in actually compromising Cafax,
although it wasn't possible to rule out the possibility.
"I've also seen attributions to this name," Liman told Ars, referring to
nsd.cafax.com. "The strange thing is that that name doesn't exist. There is,
and, as far as I can remember, has never been, such a name in the legitimate
cafax.se domain." He said the techniques involved in the March attack are
consistent with the Netnod hijacking. Asked how the March attack affected Cafax
customers, Liman wrote: "I don't know. I was not in a position to observe
things as they happened, so I don't know what the black hats did."
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
