Jump to content

Compromised Domain: Difference between revisions

From ICANNWiki
Jessica (talk | contribs)
No edit summary
Jessica (talk | contribs)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]].
A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]].
==Indicators of Compromise==
Indicators of compromise (IOCs) are forensic evidence of potential intrusions into a host system or network. These artifacts help information security workers and system administrators to detect intrusion attempts and malicious activity. Security researchers use IOCs to analyze [[malware]] techniques and behaviors. IOCs provide actionable, shareable threat intelligence, which the community can use to improve organizations' incident responses and remediation strategies. Some are found on event logs and timestamped entries in a system, applications, or services. They may also be discovered with tools for monitoring and mitigating breaches and attacks.
===Common IOCs===
* Unusual traffic going in and out of the network
* Unknown files, applications, and processes in the system
* Suspicious activity in administrator or privileged accounts
* Irregular activities such as traffic in countries where an organization does not do business
* Dubious log-ins, access, and other network activities that indicate probing or brute force attacks
* Anomalous spikes of requests and read volume in company files
* Network traffic that traverses in unusually used ports
* Tampered files, DNS, and registry configurations and system setting changes, including in mobile devices
* Large amounts of compressed files and data found in locations where they should not be<ref>[https://www.trendmicro.com/vinfo/us/security/definition/indicators-of-compromise#:~:text=Indicators%20of%20compromise%20(IOCs)%20serve,attempts%20or%20other%20malicious%20activities. Indicators of Compromise, TrendMicro]</ref>


==Types==
==Types==
Adversaries hijack domains and/or subdomains to target victims.  
Adversaries hijack domains and/or subdomains to target victims.  
===Registration Hijacking===
===Registration Hijacking===
Threat actors may change the registration of a domain name without the permission of the original registrant. They may gain access to an email account for the person listed as the owner of the domain and then claim that they forgot their password to change to the domain registration. They could also engage in [[Social Engineering]] with the help desk to gain access to an account or take advantage of renewal process gaps.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>  
Threat actors may change the registration of a domain name without the permission of the original registrant. They may gain access to an email account for the person listed as the owner of the domain and then claim that they forgot their password to change to the domain registration. They could also engage in [[[Social Engineering Attacks|social engineering]] with the help desk to gain access to an account or take advantage of renewal process gaps.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>
 
===Subdomain Hijacking===
===Subdomain Hijacking===
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>


==Examples==
* Connected with China's 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, [[APT1]] hijacked 141 victim organizations across multiple industries beginning in 2006. APT1 hijacked fully qualified domain names/absolute domain names associated with legitimate websites hosted by hop points.<ref>[https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units APT1:Exposing One of China's Cyberespionage Units, Mandiant]</ref>
==References==
==References==
[[Category:DNS Abuse]]
[[Category:DNS Abuse]]

Latest revision as of 17:46, 3 March 2022

A Compromised Domain has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of DNS Abuse.

Indicators of Compromise

Indicators of compromise (IOCs) are forensic evidence of potential intrusions into a host system or network. These artifacts help information security workers and system administrators to detect intrusion attempts and malicious activity. Security researchers use IOCs to analyze malware techniques and behaviors. IOCs provide actionable, shareable threat intelligence, which the community can use to improve organizations' incident responses and remediation strategies. Some are found on event logs and timestamped entries in a system, applications, or services. They may also be discovered with tools for monitoring and mitigating breaches and attacks.

Common IOCs

  • Unusual traffic going in and out of the network
  • Unknown files, applications, and processes in the system
  • Suspicious activity in administrator or privileged accounts
  • Irregular activities such as traffic in countries where an organization does not do business
  • Dubious log-ins, access, and other network activities that indicate probing or brute force attacks
  • Anomalous spikes of requests and read volume in company files
  • Network traffic that traverses in unusually used ports
  • Tampered files, DNS, and registry configurations and system setting changes, including in mobile devices
  • Large amounts of compressed files and data found in locations where they should not be[1]

Types

Adversaries hijack domains and/or subdomains to target victims.

Registration Hijacking

Threat actors may change the registration of a domain name without the permission of the original registrant. They may gain access to an email account for the person listed as the owner of the domain and then claim that they forgot their password to change to the domain registration. They could also engage in [[[Social Engineering Attacks|social engineering]] with the help desk to gain access to an account or take advantage of renewal process gaps.[2]

Subdomain Hijacking

Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.[3]

Examples

  • Connected with China's 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, APT1 hijacked 141 victim organizations across multiple industries beginning in 2006. APT1 hijacked fully qualified domain names/absolute domain names associated with legitimate websites hosted by hop points.[4]

References