I came across a blog post that once again showcases the importance of properly managing DNS through its entire life cycle. The article entitled “Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target” (sic) was written by Matthew Bryant (@IAmMandatory) can be found here. It’s a bit of long read, but serves as a great reminder about the importance of understanding and managing important DNS data from inception through final decommission.

The basic concept discusses deals with expired domain names that at one time had one or more authoritative name servers bound to that domain and served as authoritative name servers for other zones. Over time, domains fall out of use and their registration lapses. Many times, owners of those domains fail to remove authoritative name server registrations from the top-level domain servers, leaving the no longer functioning name servers in the expired domain listed as authoritative for one or more other zones or both. Incomplete or ineffective garbage collection over long periods for time can lead to big security holes.

Keep in mind that technically, any name server that is acting as either a primary master or primary slave authoritative name server and providing data to name servers outside the local zone needs to be registered with the parent domain. For example, any name server that is listed as authoritative and listed with the registrar for APPRIVER.COM must be registered as a name server with the .COM domain. This is typically done though an approved registrar with access to the appropriate TLD. Unfortunately, this requirement does not prevent the use of unregistered name servers being listed in NS records for publicly accessible authoritative DNS. Also, there is no mechanism in the normal DNS lookup process that validates whether or not a name server is registered with the parent zone and nothing that checks the registration status of the domains used by listed name servers.

Name servers that are listed in NS records for a given zone but not listed as name servers for the zone with the zone’s registrar are referred to as stealth name servers. Stealth name servers may or may not be registered as authoritative name servers within the parent zone. You can read more on the technical requirements for authoritative name servers on the IANA web site. The case described in the blog post is essentially the inverse of the stealth name server scenario. Name servers are listed with the registrar but one or more of the domains associated with the name server have a lapsed registration.

The security concern described in Bryant’s post deals with the following case:

  1. One or more NS records listed with a zone are part of a different zone.
  2. One or more of the zones containing the NS hosts has an expired registration

The example used in Bryant’s post is iom.int. He found that two of the four listed name servers were functional and two were not. The name servers in the org.ph zone failed to respond. Further investigation revealed that the org.ph domain was unregistered. All a malicious actor need do at this point is:

  1. Register the available domain though a supporting registrar (org.ph)
  2. Configure DNS on the zone (in this case the sub zone iom.org.ph)
  3. Set up the appropriate A records for the listed name servers (ns1.iom.org.ph & ns2.iom.org.ph)
  4. Set up a DNS service that listens on the IPs pointed to by the above A records
  5. Configure desired DNS responses for original zone with the previously broken NS records

In the example in Bryant’s post, there were four name servers. He was able to successfully hijack two of the four using the above process. This means that his name servers would respond to approximately 50 percent of all authoritative requests. This would continue until such time as the owner of ion.int removed the rogue name servers from the name server settings list at the registrar. If the owners of ion.int did nothing, Bryant could in theory hijack 50 percent of all traffic destined to ion.int since most DNS lookups utilize round robin requests. By altering the TTL data for records served up by the rogue name servers and omitting the valid NS records from his bogus DNS zone, it is likely that over time, the amount of DNS traffic influenced by the bogus name servers could approach 100 percent. Additionally, he could also theoretically request SSL certificates, re-direct email, spoof SRV records and ultimately permanently hijack the target domain. His post explains the methods involved in more detail.

Starting to see how inattention to details can come back to bite you if you mismanage you DNS?

So if you don’t own any domains this stuff doesn’t impact you right?  Wrong! As a normal user of the Internet, almost everything you do is dependent upon DNS and the accuracy and trustworthiness of that DNS data.

Bryant’s post also references a tool he developed called Judas DNS. Judas DNS is DNS proxy server that can take the place of a hijacked name server and used to perform targeted exploitation. It can be configured to target specific source IP ranges or particular zones or a combination of both. TTLs are adjustable. This tool could also be deployed in a MITM attack to target a specific IP on the target network.

So how can you protect yourself from these kinds of deceptive attacks?

Firstly, know your network! Only connect using trusted devices connected to trusted networks. If you must use unfamiliar networks, invest in a quality VPN provider. Only send data over VPN connections. This will insure that your data is safe from prying eyes while in transit between your device and the VPN provider. What happens after your data leaves the VPN end point is difficult to control.

Secondly, use only trusted DNS providers. On static networks, configure your firewalls to allow DNS response traffic only from trusted DNS sources. Make sure trusted DNS resolvers forward unknown queries to the root zones for resolution. It is not possible to verify the legitimacy of DNS requests unless DNSSEC is enforced on a particular zone. If you are concerned about a particular domain, use available tools to verify the DNS configuration. Compare zone data on all listed name servers. They should all match! DNS integrity has never been a priority. This will need to change.

If you are responsible for managing domain name registrations for your company, be sure to do regular audits of your DNS name server settings at the domain registrar making sure that all the listed name servers are correct, legitimate and actually point to registered domains that are functioning. Also check to make sure that all DNS records in your forward and reverse zones are valid, removing any that have expired or are no longer valid.

Take care of your DNS and be safe out there!

PDF phishing emails seem to be popular these days. While the PDF format isn’t immune to its own vulnerabilities used for malware, the biggest abuse we see is a phishing link embedded in the PDF leading to an external site. With the popularity of PDF files in general and the fact you can embed links in them, it makes sense attackers would try to use this to their advantage. This use of PDF’s for phishing usually comes in two flavors as well. It’s either phishing for bank details, or for generic email login credentials.

The below phishing email came in claiming to be from Navy Federal, the worlds largest credit union. It contained just a quick note about unusual activity and a PDF attached.

navyfederalphishingemail

 

Opening up the attached PDF file, you get a small description of why you should click the link. An astute observer may notice it actually links to a compromised WordPress site hosting the fake login page.

navyfederalphishpdffile

Assuming the user did not see the link before clicking and disregards the address bar, the phishing page is actually a rather convincing one. Sometimes these pages are low effort and just thrown together. Misspelled items, pictures not aligning, etc. But this one is pretty spot on to the real Navy Federal page. By phishing campaigns utilizing more convincing pages, it’s likely less of the victims will be taking the proper steps of looking closer and verifying they are indeed at the right website.

 

Click the images below and see if at a quick glance you can spot the fake phishing site.

navyfederalphish_realwebsitenavyfederalphish

 

 

 

 

 

 

 

 

 

 

The phishing website is the image on the right. Minus a few alternate images and details that no user probably has memorized, as well as changing slides on a regular basis, catching any minor details that would throw a red flag is nigh impossible. Stealing the HTML formatting and files used on a website is a rather trivial task as well. The attacker may need to put in slightly more effort to get formatting and images all looking correct on a copied version, but nothing that’s too much effort.

Once credentials are typed in, the server already has the login details. But from there, it brings up more pages asking for more details. This would hopefully also throw some red flags as well since this is likely very far from the normal login process. If someone were to complete all of the questions and details asked about them though, the attackers running the phishing site would hit a jackpot of data about a user. Opening opportunities for identity theft or further spearphishing campaigns. If they have things like bank account numbers and even your SSN#, that can make any further phishing emails using that data much more believable.

navyfederalphish2

The personal questions, often used as security questions, were in two groups on the page. I assume the first question group above was different form the rest as it may be the ones they are more likely to use.

 

navyfederalphishq1navyfederalphishq2

 

From there it goes to the hard hitting questions.

navyfederalphish3Clicking finish will reroute you to the actual NavyFederal.org website and you be presented with a normal login page. More red flags here as going through a login process only to be rerouted to another login process is a pretty classic example of what many phishing sites do. Though it’s very possible a user may just chalk it up to some generic web issue during the login.

Getting alerts or notices from banks or credit unions that are legitimate is of course a thing. So you can’t really tell users to always ignore such notifications. But it’s wise to advise using extra care when dealing with any banking details. Always check the URL you are at and make sure it’s what you expect. Seeing an email from someone like Bank of America with a link to a .ru website is a pretty good indicator of phishing. But sometimes things aren’t that easy. So taking th extra caution and time can go a long way in stopping yourself from becoming a victim.

 

 

As the new year gets underway we always take a look back at patterns and trends that we saw throughout the previous year. 2016 was certainly one thing, the most dangerous year on record–from an email perspective of course. In total we quarantined just over 15.5 billion emails containing malware. Any one of these messages could have spelled disaster to the unsuspecting user. Here is a look at the malicious email traffic as we saw it throughout 2016:

malware_2016

This new ‘normal’ with sheer volume of malicious emails coupled with growing complexity and customization is a trend that we expect to continue in 2017. But rest assured, we will be working around the clock to keep you safe from these threats. You can read more about what happened in 2016 in our upcoming Global Security Report.

By Rocco Donnino, EVP of corporate development, AppRiver

Office 365 is among the fastest-selling products in Microsoft history, and for good reasons. Office 365 brings together a lot of popular apps and makes them available as a subscription-based service. Plus, Microsoft has put its massive marketing machine into high gear in order to bring customers onto the new platform. But before you join the rush – or encourage your customers to – be sure you’re tasting the steak and not just listening to the sizzle.

T1NUHZ0SU7

That’s where AppRiver can offer some invaluable insight. We’ve been in the email security business for nearly 15 years and are a leading provider of both Office 365 and Secure Hosted Exchange. In fact, our rapid growth and sustained success in the Hosted Exchange business was an important reason why Microsoft selected us to be among the first companies to bring Office 365 to market. On a daily basis, we help resellers and customers decide which product is right for their needs by walking through the answers to five basic questions:

Where is my data held?
Hosted Exchange 2016 is provided by AppRiver in our worldwide datacenters. Our customers can choose to have their service housed in the US or Europe, depending on their needs. Microsoft doesn’t give you an option. In fact, many customers choose to have Microsoft only host their Office Apps and not their email an data because of privacy and compliance concerns.

Is my data secure?
AppRiver has been providing email security from the cloud for 14 years, protecting over 10 million mailboxes for 53,000 corporate customers. Security is an option from Microsoft that is available within certain 0365 products. For AppRiver, it’s part of every product we offer. Every AppRiver Hosted Exchange mailbox comes with our SecureTide email antivirus, anti-spam and security solution-protecting against Advanced Persistent Threats (APT), spam, and malware. AppRiver, like Microsoft, can encrypt a customer’s sensitive emails. The difference again is that our customers’ data is held in our AppRiver datacenters, not Microsoft’s.

How reliable is AppRiver’s service vs Microsoft’s?
AppRiver provides a financial guarantee that our services will always be up and running 99.999% of the time. Microsoft offers only 99.9% reliability. This may seem like we’re splitting hairs, but it’s an important issue for those for whom minutes and seconds are mission critical.

It seems you get a lot of applications for 0365, over and above email and security. Do I really need them?
At AppRiver, we can help you decide exactly what you need and make sure you don’t pay for something you don’t. For some customers, the Office 365 apps are essential; for others, they are simply window dressing. That’s why AppRiver’s email and security professionals are available 24/7 to help customers discover what service is the right fit for their needs.

Tell me about your technical support vs Microsoft
Our company culture is built around providing a positive customer experience from first contact to “post-op” support. Our approach is called Phenomenal Care™ and we consider it as a product in and of itself. But the most important measure of our success is the overall satisfaction of our customers, as evident by the 93% customer retention rate since our company began. When you buy Microsoft’s 0365 licenses through Microsoft, they come with self-help options and additional premium support options you can purchase. The good news is that whether you purchase Secure Hosted Exchange or Microsoft 0365 through AppRiver or our partners, you receive our Phenomenal Care™ service at no extra cost.

Office 365 is clearly a great option for many businesses, but in the software world, one size seldom fits all. That’s why AppRiver continues to offer and support Secure Hosted Exchange. Let our experienced professionals help you decide which service makes the most sense, not just the most sizzle.

Earlier this year, the United States Congress held a hearing on ransomware, and particular, its affect on small business. While this isn’t new news to us (we’ve been regularly giving ransomware updates in our quarterly Threat Reports, blogs, and interviews), we have included a nugget from the hearing with tips on how to keep your business cyber-secure.

 

 

Key takeaways to protect your business:

  • The majority of actors today are operating for profit
  • Properly configured networks
  • Encrypt your most sensitive data
  • Reasonable and secure password management
  • Domain password protection to prevent third party hacking
  • Applicable antivirus software that is regularly updated
  • Continuous, proactive cybersecurity education