Last week, InfoWorld reported on the hacking of a large Brazilian bank that compromised some 5 million customers worldwide. The bank, which InfoWorld did not identify, has $25 billion in global assets,12,000 employees, 1,000 endpoints, and 500 branch locations in Brazil, Argentina, the United States, and the Cayman Islands.
Following is how the attack unfolded:
In the fall of 2016, the hackers gaining access to the bank’s DNS, ultimately making changes to all of its 36 online properties. According to InfoWorld, the group first changed the DNS record, rerouting all users to an alternative destination than the actual server, despite the users using the correct web address; the group sent the bank’s customers to near-perfect copies of the bank’s sites hosted on a top global internet cloud.
While it originally appeared that the hack was a site-hijacking-and-phishing operation, it soon became clear that the attackers were interested in more than harvesting login credentials and downloading malware – they had taken over the bank’s entire internet presence. The hackers connected to the bank’s online banking, mobile app, point-of-sale terminals, ATMs, and investment transactions. By routing the ATM and point-of-sale systems – starting, of course, with their ability to control and change the bank’s DNS credentials – the group collected payment card details for all of the bank’s customers who used their credit or debit cards during the attack window. Customers were infected with malware, which stole login information and email contact lists and the attackers phished credentials from everyone logging into the online banking application.
According to InfoWorld, it took five to six hours for the bank’s security team to regain control. Even worse, the bank couldn’t notify its customers of the attacks because the attackers controlled the domains used by the bank’s email and FTP servers. The article reported that employees couldn’t even communicate with each other.
I asked Chris Baker, Principal of Threat Intelligence at Oracle Dyn, to dig a little deeper into this attack. He noted that access controls focused on domain registration components are often overlooked. From a CISO perspective, ensuring the access controls and internal security policies offered by your registry services provider is critical to understanding risk exposure.”
“Once control is lost, the impact of the exploit is a function of attackers’ DNS knowledge. Some knowingly set very long TTLs on records – the goal being to ensure that they make the most of their access. Longer TTLs create a race to flush resolver caches. Understanding your user base and what resolvers they use is key to correcting long TTL in the cache issues,” he explained.
This attack is a worst-case scenario for any financial institution, but also one that highlights the very large vulnerability for organizations that do not have best-in-class DNS. And attacks of this nature happen more regularly than most technology execs might think. In fact, The New York Times was famously taken offline by a similar attack in 2013.
So how could this attack been completely avoided?
Monitor and Control Your DNS
At Oracle Dyn, we have been educating about the importance of monitoring and controlling DNS for years. Without firm control over your organization’s online properties, and without a clear way to monitor for BGP hijacks and network intrusions, your business – and your customers – will be vulnerable for hacks like those described above. Dyn DNS monitors your DNS, your internet connection points and also allows for businesses to control their DNS directly and to re-route network traffic based on real-time issues – be them performance-related or otherwise.
Secure registrar and management access and limit changes (ACL) to corp netblocks. Also, set your TTLs accordingly and have control over each TTL by monitoring and setting alerts on your core names; if they change in TTL beyond what you know you use or if they have records added outside of the change windows you have specified you will always know why (or know there is an issue).
Use Multiple DNS Providers
Despite being the best DNS provider in the world, we never recommend using just one DNS provider. Not only can using just one DNS leave your business vulnerable in the event of a DDoS attack or to other slowdowns and outages that are common occurrences on the internet, having only one DNS provider can leaves your business open to route hijacks that would be detected and mitigated using multiple providers.