Chances are if you are involved in maintaining your organization’s cybersecurity, you’ve had more than a few sleepless nights after hearing the the disastrous consequences of another entity’s breach. This story is no different.
DNS hijack and extremely well-executed spoofed sites fool bank customers
Earlier this month, the security firm Kaspersky detailed the wholesale takeover of a yet unnamed bank in Brazil. The attack itself was a quintessential DNS hijack where the attackers took over several of the bank’s domains. For a period of five hours, customers were directed by NIC.br (the company that manages the bank’s DNS service and, incidentally, the domain registrar for the Brazilian top-level domain, .br) to spoofed versions of the bank’s legitimate sites. The spoofed sites were reportedly near perfect down to having their own valid SSL issued in the name of the bank.
Hackers obtained SSL certificate for rogue sites
After they could exercise control over the domain, the attackers applied for an SSL certificate from the non-profit certificate authority Let’s Encrypt. In an interview with Wired.com, Josh Aas, founder of Let’s Encrypt, states that entities are issued certificates when they can properly demonstrate control of a domain – which in this case the attackers were able to do.
Per the Let’s Encrypt website (letsencrypt.org), the company only offers domain validation (DV) certificates which are sufficient for HTTPS. Kaspersky’s ThreatPost write-up of this incident revealed that the certificates were issued the day before the spoofed sites went live, suggesting that the attackers could exercise a level of control over the bank’s domains in the days leading up to the attack.
Countless bank customers duped into providing account details
These days, consumers are much more savvy regarding how, when, and where they share their confidential information. With the HTTPS designation and the seemingly identical spoofed sites, a large amount of bank customers were tricked into providing their account details on the spoofed sites.
How to make it more difficult for attackers to infiltrate your organization
There are several lessons to learn from this hack. First of all, it is important for organizations to work to stay ahead of hacker tactics. Perhaps if the bank in Brazil had followed the tips listed below, the bank and its customers would have been protected from a breach.
- Include external accounts in your privilege access management strategy. When identifying privileged accounts in your organization include internal accounts as well as external accounts that could pose a risk to your organization. Locking down internal root and administrator accounts is not sufficient. Privilege access management must include all accounts that provide elevated access or could impact your organization’s system or reputation, including those for your social media presence; or in the bank’s case, the organization’s DNS service provider. If the affected bank had included their NIC.br account in their privileged access management solution, they may have been able to prevent this attack.
- Rotate passwords frequently both in your organization and with your personal accounts. Also two-factor authentication should be used when possible. Had this bank rotated the password more frequently, there is the possibility they may have been able to protect themselves from this attack. If the password for their account at NIC.br changed frequently, the attackers would have needed to compromise it each time.
- Get organization validation (OV) or extended validation (EV) certificates when appropriate for your organization. Certificates are not created equally. In this case Let’s Encrypt offers Domain Validation (DV) certificates, not OV or EV certificates. To the general public the nuance difference between these is likely lost especially when their browser simply displays a site as “secure”, but the reality is theses certificates have significant differences. OV and EV certificates offering more validation and provide more trust.
Don’t let a hack happen to you. Contact Cybersheath to learn more about our recommendations for safeguarding your organization. Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!