Attackers modified the DNS records for leaseweb.com
Hosting provider LeaseWeb became the latest high-profile company to have its domain name taken over by attackers, highlighting that DNS (Domain Name System) hijacking is a significant threat, even to technically adept businesses.
For a short time on Saturday, leaseweb.com, the company's main website, was redirected to an IP address that wasn't under its control. This was the result of a so-called DNS hijacking attack in which attackers managed to change the authorized name servers for the company's domain name.
Due to the way DNS records get propagated through Internet servers and the fact that some DNS resolvers cache the records for a longer time than others, not all users were affected by the incident.
However, those users who were impacted and attempted to visit the company's website were redirected to a Web page crediting a hacker group called KDMS Team for the attack.
The rogue page contained messages from the hackers, including "what are you is a hosting company with no security" and "we owned all of your hosted sites."
"Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed," LeaseWeb said in a blog post Sunday after resolving the issue. "No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack."
LeaseWeb is a large provider of public cloud, private cloud, dedicated hosting, colocation and content delivery services with subsidiaries in the U.S., Germany and the Netherlands. It has over 15,000 customers that range from small businesses to large enterprises and claims to manage almost 4 percent of global IP traffic.
LeaseWeb is still investigating how attackers managed to change the DNS records for its domain name, but it appears that they gained access to the domain administrator password at the domain registrar from which LeaseWeb bought its domain.
Spear phishing might have been a part of the attack, but at this point the investigation is ongoing so there's no definitive answer, Alex de Joode, senior legal counsel of LeaseWeb, said Monday via email.
Because of this attack, emails sent to @leaseweb.com addresses while the rogue DNS records were in place did not reach the company's email server. The rogue Web server where the domain was pointed by the attackers did not have email service configured, so no email messages were compromised, de Joode said.
There's also no indication the rogue Web page served malware or was used to steal credentials, he said.
There has been some speculation that attackers might have exploited a recently disclosed vulnerability in the WHMCS billing and support software to pull off the attack. This software is particularly popular with Web hosting companies.
LeaseWeb itself doesn't use WHMCS, but the company doesn't know if the software is used by its domain registrar, de Joode said.
"We took immediate measures to prevent a repeat of this incident in the short term," he said. "We will also update our security policies for domains based on the results of the current investigation."
Defacing websites by hijacking the DNS records for their domain names in order to redirect them to rogue Web servers is a popular technique among hackers. Attackers usually gain access the domain administrator panel by phishing the log-in credentials from an authorized user or by tricking domain registrar employees to reset the password for the targeted account.
In August, a hacker group called the Syrian Electronic Army (SEA) used spear phishing to temporarily hijack the nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com domain names. SEA publicly supports Syrian President Bashar al-Assad and his government and most of their attacks are a political statement.
LeaseWeb doesn't currently know why it was targeted by Team KDMS, de Joode said.
DNS hijacking can have much more serious consequences than a websites being defaced. Attackers could use this technique to direct users to a phishing version of the website in order to steal their credentials or they could use exploit kits to infect visitors to the rogue Web server with malware.
To prevent rogue modification of DNS records domain owners can ask their registrars to put registry locks in place for their domains. This lock is placed at the registry level -- with those companies that administer the .com, .net, .org, and other domain extensions -- and makes the modification of DNS records, even when a domain registrar is compromised, much harder.