Websites which primarily use a .ZA address may be at risk of domain hijacking attacks due to the convoluted transitive trust and domain name system (DNS) dependency hierarchies of the .ZA domain space.
According to the reports, attackers hijacked domains by changing their DNS records. The reports also stated that it is likely the attackers were entities sanctioned by at least one nation-state. Iran is the suspected source of the attack.
A detailed summary of the attacks may be found at Krebs On Security, which found that two large Internet organisations were compromised to execute the attacks.
Krebs confirmed with Netnod in Sweden and Packet Clearing House (PCH) in California that the attackers had compromised parts of their DNS infrastructure to hijack domains all over the Middle East and North Africa.
Domains were compromised in Jordan, the United Arab Emirates, Saudi Arabia, Iraq, Egypt, and Lebanon.
After redirecting traffic destined for the hijacked domains via servers under their control, the attackers launched spear phishing campaigns against various government entities in the targeted countries.
Email passwords and other data taken from governments and private companies was affected. Krebs said that a “huge volume” of sensitive data was compromised.
Following the attacks, Verisign explained how “transitive trust” between DNS servers enabled the domain hijacking.
It linked to a paper published in 2005 from the Department of Computer Science at Cornell University – titled Perils of Transitive Trust in the Domain Name System.
Essentially, if an attacker is able to gain control of one DNS server in the chain, every domain connected to DNS servers that depend on it may potentially be compromised.
The authors conservatively estimated that 17% of DNS servers they surveyed were not properly patched and vulnerable to documented exploits due to software bugs.
Verisign also provided an online tool which visualises the transitive trust and DNS dependencies of any top-level domain – and a selection of domains are shown below.
It should be noted that the same complex hierarchy afflicting the .ZA name space is also present in .africa, .capetown, .joburg, and .durban. Querying mil.za and gov.za raises similar concerns.
Protecting against domain hijacking
To defend against domain hijacking, Krebs offered the following advice:
- Use DNS Security Extensions (DNSSEC).
- Use features like Registry Lock that can help protect domains from having their records changed.
- Use access control lists for applications, Internet traffic, and monitoring.
- Use two-factor authentication.
- Use unique passwords and consider password managers.
- Review your accounts with registrars and other providers.
- Monitor certificates.
While DNSSEC has been available for domains in the .ZA namespace since 2017, support and adoption is lacking.
Measurements taken by APNIC shows that there is only DNSSEC Validation for 46.25% of the domains it tested through DNS resolvers in South Africa.
Alarmingly, this is higher than the global adoption figure – which APNIC measures to be below 20%.
In addition to a lack of wide-scale support and adoption of DNSSEC, the .ZA domain space doesn’t have a registry lock feature.
This means that two of the major mitigations for domain hijacking attacks are not readily available for .ZA domains.
ZACR – No comment
The ZA Central Registry was asked for feedback on this issue, but it did not respond to questions.