Users are being hit with ransomware being spread through hacked domain name system (DNS) records of Go Daddy hosted websites. DNS converts domain names into IP addresses, often dynamically, so that resources can be moved between machines/networks/locations without affecting end users. The hostnames remain constant, and DNS handles any changes in the IP address as the resources move.
“To understand how these attacks work, a short primer on DNS is required,” said security specialist Fraser Howard, writing in the Sophos Naked Security blog. “In this current spate of attacks, criminals are exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers.”
The upshot is that hackers can thus hijack the DNS to create legitimate-looking URLs in phishing attacks, evading security filtering and tricking users into thinking the content must be safe. So, a user clicks on a link from within a phishing email and is taken to a rogue server, where he or she is hit with various files that exploit several vulnerabilities, in order to infect them with the ransomware. The rogue servers are running a Russian exploit kit calling itself Cool EK, which Howard said is very similar to the Blackhole exploit kit.
When it comes to how hackers were able to compromise the DNS in the first place, the likely cause is compromised user credentials – i.e., stolen or weak passwords. “We suspect that the affected customers have been phished or their home machines have been affected by Cool Exploit as we have confirmed that this is not a vulnerability in the My Account or DNS management systems,” Go Daddy told Fraser.
The moral of the story is an age-old one: employ better credentialing policies. “Sigh,” Howard lamented. “Given the prevalence of attacks against websites for the purpose of malware distribution it is high time that associated services (registrars, hosting providers etc.) pay adequate consideration to security.”
For instance, users should ensure their passwords are strong and unique to each website, and two-factor authentication should be readily available, if not enforced, he added. “With a little forethought and consideration to what happens when the keys to the kingdom get lost, malicious activity can be disrupted more quickly,” concluded Howard.
US- and Canada-based Go Daddy customers can enable 2-step authentication to help protect their accounts. The service encourages all users to enable two-factor authentication.