1. DNS/hijacking/KrebsonSecurity

Contents

  1. DNS/hijacking/KrebsonSecurity
  2. SAY WHAT?

18 Feb 19 A Deep Dive on the Recent Widespread DNS Hijacking Attacks https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

他者のドメイン名を騙って/メイル送信するのは難しいことではなさそうだ。

ここに書いてあることのどこまでが真実なのか。 -- ToshinoriMaeno 2019-03-21 12:52:49

管理不良のドメイン名がハイジャックされて、spam送信に使われたということのようだ。

管理されていないドメインがGoDaddy.com のNSを指したまま放置されていた。 (その時にはGoDaddyにはゾーンはなかったと推測)

第三者に登録されて、レコードを作られたということだと理解しました。

(さくらは現在はこのような利用を許していない。と思い込んでいたが、間違いだと判明する。) 😍 -- ToshinoriMaeno 2019-03-22 02:14:30

https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

22 Jan 19 Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

大量のspamが有名サイト名から送られた。

Virtually all of them had at one time received service from GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

(仮説) thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about a weakness that could be used to hijack email service for 20,000 established domain names at a U.S. based hosting provider. A few months later, Bryant warned that the same technique could be leveraged to send spam from more than 120,000 trusted domains across multiple providers. 

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. 

Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have 
  WHOIS information which points to real people unrelated to the person carrying out the attack. 
Now if an attacker launches a malware campaign using these domains, 
it will be harder to pinpoint who/what is carrying out the attack
since the domains would all appear to be just regular domains with no observable pattern 
other than the fact that they all use cloud DNS. 
It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

2. SAY WHAT?

For a more concrete example of what’s going on here, 
we’ll look at just one of the 4,000+ domains that Guilmette found were used 
in the Dec. 13, 2018 bomb threat hoax. 
Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla orporation, 
a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers 
to serve the needs of its clients. 
To hijack this domain, the attackers in the December 2018 spam campaign needed
only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). 

=======================================================================================================
After that, the attackers simply claim ownership over the domain, 
and tell GoDaddy to allow the sending of email with that domain from an Internet address they control.
=======================================================================================================

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.
                              ----------------------------------------------------------------------
“This oversight created a state where the DNS pointed to a server controlled by a third party,
 leaving it vulnerable to misuse,” Canale said.
“We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because 
GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.