1. DNS/Domain hijacking/Godaddy/Krebs
https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/
the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation.
Guilmette made a startling discovery: Virtually all of them had at one time received service from GoDaddy.com, a Scottsdale, Ariz.
Guilmette came to the conclusion that
the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies cloud providers and domain registrars that was first publicly detailed in 2016.
参考リンク:
The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean December 05, 2016
1.1. EARLY WARNING SIGNS
In August 2016, security researcher Matthew Bryant wrote about a weakness that could be used to hijack email service for 20,000 established domain names at a U.S. based hosting provider. A few months later, Bryant warned that the same technique could be leveraged to send spam from more than 120,000 trusted domains across multiple providers. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.
Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.
hen someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.
The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:
“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”
virtualfirefox.com のケース (dormant 休眠中だった)
1.2. SAY WHAT?
For a more concrete example of what’s going on here, we’ll look at just one of the 4,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax.
Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.
The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time.
When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.
GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients.
To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com).
After that, the attackers simply claim ownership over the domain, and tell GoDaddy to allow the sending of email with that domain from an Internet address they control.
Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.
“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”
理由はここに:
According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.