DNS Infrastructure Hijacking Campaign
The National Cybersecurity and Communications Integration Center (NCCIC) has identified a global Domain Name System (DNS) infrastructure hijacking campaign. Attackers exploit compromised credentials to alter an organization’s DNS records, rerouting user traffic. This redirection allows them to intercept and inspect network traffic destined for legitimate services. A critical aspect of this attack is the attacker's ability to obtain valid encryption certificates for the targeted domain names. These valid certificates enable man-in-the-middle attacks by allowing decryption of traffic without raising user warnings. The campaign leverages compromised credentials to modify DNS records like A, MX, and NS. Organizations are advised to update passwords for accounts managing DNS records. Implementing multifactor authentication for domain registrar accounts is also a crucial mitigation. Regular auditing of public DNS records to confirm correct resolution is recommended. Finally, it is important to search for and revoke any fraudulently issued encryption certificates.