In Response To FireEye’s Global DNS Hijacking Campaign
I’ve been asked on how do we assess our environment, if we are affected with the DNS hijacking as mentioned in “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale”, here is a short HOWTO to guide you to verify against this threat in your environment, assuming you are looking into this from security operation/OSINT perspective and IT team is not involve.
- First you need to get/recon your own DNS record, focusing on A, and NS. You can go up to MX, but it was not part of the same campaign’s Tactics, Techniques and Procedures (TTP). You may want to use (but not limited to) the following tools to help you:
- Step #1 will give you the current record of the DNS. You can dive deeper and use historical or passive DNS records if you want to. I see no urgency to go more then 2017 (for this campaign)
- Remove the lines of record which contain your valid/known IP range
- Now you have the “suspicious” list to be verified. You may follow the change request (CR) audit processes to validate the IP resolution with DNS (IT) team, or you may directly verify them with the owner
- If you are not affected by the mentioned campaign, I believe you will still get some findings eg: old and un-maintained records, unauthorized change/CR, exposure of internal IP, etc