SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


Leave a comment

Attacks on DNS continue, targets are also in Switzerland

Attacks on the domain name system continue

Talos, the intelligence group of CISCO reported in their blog that their monitoring shows that attacks on the domain name system (DNS) by “Sea Turtle” continue.  The attack technique used is similar than before, the actors compromise name server records to take ownership of the domain. They then provide false information to selected parties (e.g certificate authorities, mail users) which leads to the disclosure of email credentials of the targeted organisations. These credentials give initial access to the victims E-mails accounts and other resources and are a starting point for further attacks.

Victims in Switzerland

For the first time, Talos also reported victims in Switzerland.

Geographic Location of Sea Turtle Victims by Talos

While Talos didn’t disclose the targeted organizations they identified these groups as primary targets:

  • Government organizations
  • Energy companies
  • Think tanks
  • International non-governmental organizations
  • At least one airport

Continue reading


1 Comment

DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System

Attacks on the DNS System

Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This time it was different. The recent widespread DNS hijacking attacks on several Mid East, North African and European and North American governments and infrastructure providers, published by Ciscos Talos showed that DNS attacks are a real threat to cyber security. Netnod, one of the affected infrastructure providers issued a statement, that called, amongst other domain security mechanisms, for the implementation of the DNS Security Extensions (DNSSEC).

The analysis of these attacks also convinced the Internet Corporation for Assigned Names and Numbers (ICANN) that there is an ongoing and significant risk to key parts of the System (DNS) infrastructure. ICANN issued a call for “Full DNSSEC Deployment to Protect the Internet” across all unsecured domain names.

The question is if  these attacks and the awareness that DNSSEC is an absolute essential base layer protection for domain names had some effects on the Implementation of DNSSEC Switzerland?

More DNSSEC signed domain names

As a ccTLD operator SWITCH publishes the number of DNSSEC signed .ch and .li domain names every month. While the number of signed domain names is still very low at around 3-4% we see a rise in the numbers of signed domain names for two years now.

DNSSEC signed .ch domain names 1.4.2019

Continue reading


Additional DNSSEC Training with PowerDNS on May 7 and 8

We announced 3 one day DNS trainings in the end of February and all three trainings where fully booked within 24 hours. We are happy to see so much demand for DNSSEC in Switzerland.
We managed to add two more dates for the DNSSEC training together with PowerDNS
The training will be given at the following dates in Zurich:

7.5. Zurich, SWITCH
8.5. Zurich, SWITCH

The one day training will give you an introduction into DNSSEC and show you how to sign DNS zones on an autoritative DNS server.
We will use PowerDNS for the practical and hands on part. PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, with minimal administrative overhead.

Agenda:

• Short introduction to DNSSEC
• how DNSSEC works
• keys / signatures / NSEC / NSEC3
• Working with DNSSEC and the PowerDNS Authoritative server
• Short overview over PowerDNS Authoritative server backends (MySQL, PostgreSQL, BIND, pipe, …)
• DNSSEC signing
• Pre-signed zones
• CDS
• Zone transfers
• Utilities (pdnsutil)
• The PowerDNS ALIAS record (and its future)

Required skills: Unix system administrator skills and DNS server know how.The training will be delivered in english.

More information and registration here:

https://www.eventbrite.com/e/dnssec-training-zurich-may-7-tickets-44474772241
https://www.eventbrite.com/e/dnssec-training-zurich-may-8-tickets-44474795310


5 Comments

DNSSEC training with PowerDNS in Switzerland

SWITCH is organising a one day DNSSEC training together with PowerDNS

The training will be given at the following dates:

9.4. Zurich, SWITCH
10.4. Bern, Uni
11.4. Carouge HESGE

The one day training will give you an introduction into DNSSEC and show you how to sign DNS zones on an autoritative DNS server.
We will use PowerDNS for the practical and hands on part. PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, with minimal administrative overhead.

Agenda:

• Short introduction to DNSSEC
• how DNSSEC works
• keys / signatures / NSEC / NSEC3
• Working with DNSSEC and the PowerDNS Authoritative server
• Short overview over PowerDNS Authoritative server backends (MySQL, PostgreSQL, BIND, pipe, …)
• DNSSEC signing
• Pre-signed zones
• Zone transfers
• Utilities (pdnsutil)
• The PowerDNS ALIAS record (and its future)

Required skills: Unix system administrator skills and DNS server know how.The training will be delivered in english.

More information and registration here:

Zurich: https://www.eventbrite.com/e/dnssec-training-zurich-tickets-43350331007
Bern: https://www.eventbrite.com/e/dnssec-training-bern-tickets-43592055010
Carouge: https://www.eventbrite.com/e/dnssec-training-carouge-tickets-43592840359

Update 28.2.2018: All three trainings are fully booked after only 24 hours. We are happy to see so much interest in DNSSEC in Switzerland. Waitlist is now open.


16 Comments

94 .ch & .li domain names hijacked and used for drive-by

A Swiss domain holder called us today telling us that the .ch zone points to the wrong name servers for his domain.

The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the only domain that had unauthorized changes. We identified 93 additional .ch and .li domain names that pointed to the two rogue name servers. While domain hijacking by pointing to a rogue NS is a known attack,  94 domains on a single day is very unusual. So we analyzed what the hijacked domains were used for and soon found out that they are used to infect internet users with malware.

Visitors to the hijacked domains were redirected to the Keitaro TDS (traffic distribution system):

hXXp://46.183.219[.]227/VWcjj6

A TDS decides where to redirect the visitor to, often depending on its IP address (i.e. country),
user agent and operating system.

A dead end may look like the following:

hXXp//46.183.219[.]227/favicon.ico
hXXp://46.183.219[.]227/www.bingo.com

And the visitor will be redirected to Google.

However, in some cases, the visitor is redirected to the Rig Exploit Kit:

hXXp://188.225.87[.]223/?doctor&news=...&;money=...&cars=236&medicine=3848
hXXp://188.225.87[.]223/?health&news=...
...

And the visitor gets infected.

The payload is Neutrino Bot:

MD5: a32f3d0a71a16a461ad94c5bee695988
SHA256: 492081097c78d784be3996d3b823a660f52e0632410ffb2a2a225bd1ec60973d).

It gets in touch with its command and control server and grabs additional modules:

hXXp://poer23[.]tk/tasks.php
hXXp://poer23[.]tk/modules/nn_grabber_x32.dll
hXXp://poer23[.]tk/modules/nn_grabber_x64.dll

A little later, it also gets an update

hXXp//www.araop[.]tk/test.exe

MD5: 7c2864ce7aa0fff3f53fa191c2e63b59
SHA256: c1d60c9fff65bbd0e3156a249ad91873f1719986945f50759b3479a258969b38)

Status

The rogue NS were inserted in the .ch zone file at around 13:00 today. The registrar discovered soon what happened and rolled back the unauthorized changes. At 16:00 all of the changes in the .ch & .li zone were reverted and the NS records pointed to the legitimate name servers again.

[Update 10.7.17 17:15]

Gandi the registrar of the 94 domain names has written a blog post, as well as SCRT the domain holder that initially informed us about the domain name hijacking of scrt.ch. SCRT also showed how Strict Transport Security protected their recurring visitors from being redirected to the bogus website!


1 Comment

DNSSEC Signing for .ch and .li on the Rise

The share of DNSSEC signed domain names in .ch and .li reached 1% for the first time in June 2017. While this is still a very low number compared to other ccTLDs, the number of DNSSEC signed domain names is increasing at a high rate for the last two quarters.

DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a set of technologies that secures the origin authentication and data integrity of the Domain Name System. It allows to detect DNS records that have been modified on the way from the authoritative name server to the client using a domain name. This helps to protect Internet users from going to bogus websites.

In addition from protecting Internet users from cybercriminals and state sponsored actors, DNSSEC is the base for important standards such as DNS-based Authentication of Named Entities (DANE).

DNSSEC in .ch and .li

DNSSEC was enabled for the .ch and .li zones in 2010 but unfortunately received a slow adaptation by domain holders. From 2013 there was a slow but steady growth of domain names signed with DNSSEC. In November 2016 we noticed a increased rate of DNSSEC signed domain names that accelerated in April 2017.

From now on SWITCH will publish statistics about the number of signed domain names for both ccTLDs .ch and .li on the nic.ch and nic.li website.

DNSSEC Signed Domain Names in .ch   DNSSEC Signed Domain Names in .li
Continue reading


6 Comments

Usage of .ch domain names for spamming malware Tofsee stopped

It is rare that a malware family uses .ch or .li domain names in their domain name generation algorithm (DGA). The last time I remember, that we had to take action against a malware using .ch or .li domain names was about 8 years ago. It was Conficker that infected millions of computers worldwide. The malware was generating about 500 .ch and .li domains a day to be potentially used as a command and control server. By then SWITCH joined the conficker working group to prevent the use of domain names by this malware.

Since then we have been watching the use of .ch and .li domain names in malware DGAs and prepared for this by making an agreement with the Registrar of Last Resort (RoLR) to prevent the registration of domain names used in DGA algorithms of malware.

This week the Swiss Govermental Computer Emergency Response Team (GovCERT) informed us about the malware Tofsee using .ch as one of the TLDs in its DGA. Continue reading