RSS

751 Domains Managed by Gandi Hijacked to Serve up Malware

Sun, 16th July 2017, 14:10

Domain registrar Gandi has admitted that more at least 751 domain names were hijacked late last week after an unknown individual managed to get hold of the company's login details for one of its technical providers.

The changes went unnoticed for a number of hours hours until one the registry operators reported the suspicious changes to Gandi. Within an hour, Gandi's technical team identified the problem, changed all the logins and started reverting the changes made – a process that took three-and-a-half hours, according to the company's incident report.

Gandi is adamantly stating that the attack did not involve any breach of their databases or back end nor did it involve a breach of the technical partner’s infrastructure.

The attacker was able to make the changes by accessing the web portal of our technical partner using our login credentials, which they obtained surreptitiously. These credentials were "likewise not obtained by a breach of our systems and we strongly suspect they were obtained from an insecure connection to our technical partner’s web portal" (the web platform in question allows access via http).

Gandi stated that taking into account the delay in name server provisioning at the individual registries in question and the TTLs of the relevant DNS zones, the unauthorized changes were in place at the most for 8 to 11 hours.

The attack

One of the domains impacted by the attack was Swiss information security company SCRT. The company in a blog post about the incident provided a more concise explanation of where the attacker was able to manipulate the process while stating that they still haven’t received any news from Gandi as to what made all of this possible in the first place.

The domain scrt.ch is registered at Gandi where we configure the IP addresses of our name servers. Gandi is responsible for propagating this information to nic.ch, enabling the resolution for our domain scrt.ch globally.

Last Friday, an attacker was able to compromise a technical provider used by Gandi to communicate with various TLD registries. This compromise allowed him to request changes to registries, including nic.ch, to modify the name server information for several domains, including ours.

At this point, a rogue DNS server was introduced in the DNS resolution path. Looking at the DNS resolution process described above, the hijack happened where nic.ch was providing the rogue DNS server instead of the valid one to any resolver, allowing the attacker to redirect any requests for impacted domains to IP addresses owned by the attacker himself.

SCRT also noted that all of its emails were redirected during the attack, but fortunately whoever carried out the attack did not set up email servers to grab them. They also stated that only visitors who had never visited their site where affected as prior visitors as HTTP Strict-Transport-Security would have forced their browser to use a valid HTTPS, which the attacker could not emulate resulting in a connection error.

Gandi manages more than 2.1 million domain names across 730 TLDs, spanning some 200+ registries.