CAIRO,
Egypt, 11th January, 2015: UAE's leading
telecommunications operator Etisalat had its website hacked into on Thursday, 18th
December and persons visiting the domain name Etisalat.ae were redirected to a
Chinese site. Etisalat’s payment service - e4me.ae - was showing an error
message– “Gateway Timeout. This so easily could have happened to operators in Egypt
as well.
Cherif
Sleiman, General Manager, Middle East at Infoblox says that what we know for sure is that Etisalat’s Doman Name
System (DNS) was compromised. Since Etisalat is the incumbent UAE operator that
owns the Etisalat.ae domain, it was definitely an attack on Etisalat’s DNS and
not another hub. They have been victimized by a DNS Cache poisoning exploit
that basically involves inserting a false address record for an Internet domain
into the DNS query. If the DNS server accepts the record, subsequent requests
for the address of the domain are answered with the address of a server
controlled by the attacker. For as long as the false entry is cached, incoming
web requests and emails will go to the attacker’s address. There are many ways
to accomplish this. New cache poisoning attacks such as the “birthday paradox”
use brute force, flooding DNS responses and queries at the same time hoping to
get a match on one of the responses and poison the cache.
Cache
poisoning is one of 14 attack vectors on DNS infrastructure and perhaps the
most dangerous DNS exploit today is the DNS Tunneling and this is a killer
exploit as it allows attackers to bypass all security mechanisms an organization
has put in place. DNS tunnelling involves tunneling another protocol through
DNS port 53 – which is allowed if the firewall is configured to carry non-DNS
traffic – for the purposes of data exfiltration. A free ISC-licensed tunneling
application for forwarding IPv4 traffic through DNS servers is widely used in
the kind of attack. Iodine is one of the most popular tools that is easily
available and widely used for this attack. Some of our Service Provider
customers have seen this being used to evade billing systems.
There are 2
possible motivations behind these attacks. The first is the pure joy of proving
that a high profile organization (in this case Etisalat) is vulnerable and
their systems can be compromised. And the second is malicious intent for
financial gain. People logging onto a website that has been hacked are
redirected to a malicious site that instantaneously downloads malicious code
via the browser session in the form of botnets, advanced persistent threats
(APTs) and malware into unsuspecting users’ devices – mobile phones, PCs and
laptops and steals their data including sensitive information like user names
and passwords through techniques like keyboard logging which tracks the keys
struck on the keyboard secretly while the user is making an online banking
transaction for example.
The code that is
downloaded is perfectly legitimate code (with malicious intent) and as such
will pass through through all the security measures that have been put in
place, undetected. This can be likened to a person (with malicious intent)
travelling with a legitimate passport and visa through airport immigration and
then causing disruption once he enters the country. There could be no screening
at the airport that could have detected the malicious intention.
Attacks like the
one
on Etisalat could definitely have been prevented. In
the past 15 years, we have seen attack vectors move from the Desktop to Network
and to the Application layer. In the past 18 months, DNS has become the
latest target where DNS has become the second highest attack vector on the
Internet slightly behind HTTP attacks. In fact DNS is projected to
surpass HTTP to become the number one attack vector within the next 12 months.
In the past year alone, DNS attacks have increased by more than 216 percent. In
the same way that today companies cannot build networks without firewalls and
intrusion prevention systems, we have entered an era where organizations can no
longer build networks without DNS security.
There is
currently only ONE effective way to address these DNS threats – directly from within the DNS
servers themselves. DNS attacks cannot be handled by any of the traditional
security technologies including Firewalls, intrusion technologies, etc.
Only purpose-built products that provide Advanced DNS Protection (ADP)
can address such attacks and operators in Egypt need to quickly put these
defense measures in place in order to safeguard themselves from cyber attacks.
