MyBroadband
Websites which primarily use a .ZA address may be at risk of domain hijacking attacks due to the convoluted transitive trust and domain name system (DNS) dependency hierarchies of the .ZA domain space.
Reports published by Cisco, FireEye, and Crowdstrike have highlighted an extensive domain hijacking campaign in Northern Africa and the Middle East.
According to the reports, attackers hijacked domains by changing their DNS records. The reports also stated that it is likely the attackers were entities sanctioned by at least one nation-state. Iran is the suspected source of the attack.
A detailed summary of the attacks may be found at Krebs On Security, which found that two large Internet organisations were compromised to execute the attacks.
Krebs confirmed with Netnod in Sweden and Packet Clearing House (PCH) in California that the attackers had compromised parts of their DNS infrastructure to hijack domains all over the Middle East and North Africa.
Domains were compromised in Jordan, the United Arab Emirates, Saudi Arabia, Iraq, Egypt, and Lebanon.
After redirecting traffic destined for the hijacked domains via servers under their control, the attackers launched spear phishing campaigns against various government entities in the targeted countries.
Email passwords and other data taken from governments and private companies was affected. Krebs said that a “huge volume” of sensitive data was compromised.
Following the attacks, Verisign explained how “transitive trust” between DNS servers enabled the domain hijacking.
It linked to a paper published in 2005 from the Department of Computer Science at Cornell University – titled Perils of Transitive Trust in the Domain Name System.
Essentially, if an attacker is able to gain control of one DNS server in the chain, every domain connected to DNS servers that depend on it may potentially be compromised.
The authors conservatively estimated that 17% of DNS servers they surveyed were not properly patched and vulnerable to documented exploits due to software bugs.
Verisign also provided an online tool which visualises the transitive trust and DNS dependencies of any top-level domain – and a selection of domains are shown below.
It should be noted that the same complex hierarchy afflicting the .ZA name space is also present in .africa, .capetown, .joburg, and .durban. Querying mil.za and gov.za raises similar concerns.
To defend against domain hijacking, Krebs offered the following advice:
While DNSSEC has been available for domains in the .ZA namespace since 2017, support and adoption is lacking.
Measurements taken by APNIC shows that there is only DNSSEC Validation for 46.25% of the domains it tested through DNS resolvers in South Africa.
Alarmingly, this is higher than the global adoption figure – which APNIC measures to be below 20%.
In addition to a lack of wide-scale support and adoption of DNSSEC, the .ZA domain space doesn’t have a registry lock feature.
This means that two of the major mitigations for domain hijacking attacks are not readily available for .ZA domains.
The ZA Central Registry was asked for feedback on this issue, but it did not respond to questions.
Brian Krebs Headline Krebs on Security VeriSign
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.
What kind of Internet connection do you have at home?
View Results
About The Author
More Stories
How RightsCon Is an Unexpected Stress Test for the Multistakeholder Model of Internet Governance
From Coverage to Meaningful Connectivity: How Kenya Is Leading Africa’s Internet Future
Community Snapshot—April