"Global DNS Hijacking Campaign: DNS Record Manipulation at Scale"

The title is a bit wrong, though. It is not DNS hijacking; this is hijacking through DNS record manipulation. At any rate, interesting report.


> The attacker logs into the DNS provider’s administration panel, utilising previously compromised credentials.

> This time, however, the attacker exploits a previously compromised registrar or ccTLD.

This is not DNS hijacking. I would consider that to be some massive MITM and DNS cache poisoning operation, probably with BGP hijacking too. This ... this is just terrible opsec being abused.

@feld That was my point, yes :)
The thing is "cache poisoning" is heavily connoted, and is generally used to designate an attack that is almost inexistent in the wild.
These "iranian" attackers were simply serving fake records :)

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.