Gandi SAS, a French web hosting company has announced that it suffered a security breach after hackers got hold of the valid login details to one of the company’s technical providers who manage a number of geographic TLDs.
The hackers were then able to divert traffic for over 751 domains to a malicious website. Gandi had issued an incident report according to which the breach took place on July 7 at 11:00 UTC (4:00 AM PDT) when hackers modified the name servers [NS] of the targeted domains.
Swiss information security company SCRT was one of the first to notice that something wasn’t right.
“Last Friday at around 14:05 we noticed that our website (www.scrt.ch) along with some other services we use internally were no longer accessible. We immediately tried to figure out why that was and quickly noticed that our DNS requests were not returning the correct IP addresses,” they explained in a blog post.
The incident report also reveals that the traffic diversion to the malicious site exploited security flaws in several browsers. Furthermore, Gandi shared a full list of affected TLDs (Top-level domain) which included:
".ASIA, .AT, .AU, .CAT, .CH, .CM, .CZ, .ES, .GR, .HK, .IM, .IT, .JP, .LA, .LI, .LT, .LV, .MG, .MS, .MU, .NL, .NU, .NZ, .PE, .PH, .PL, .RO, .RU, .SE, .SH, .SI, .SX, .UA, .XN–P1AI (.рф)."
Barry Shteiman, Director of Threat Research at Exabeam commented on the issue and told HackRead that:
“The theft of IDs and passwords is by far the most common goal for today’s cyber attackers. Valid credentials really are the keys to the kingdom, once a hacker has them, they have a legitimate means to access files and databases at will, or as in the Gandi case, make changes to critical services in order to cause havoc.”
“To stop such cases, businesses need to be able to detect the unusual use of valid credentials. This is why behavioral analytics has grown so quickly over the last couple of years. It can help combat insider threats by notifying the security team when someone is doing something that is unusual and risky, both on an individual basis and compared to peers.”
SCRT has noted a few changes they will be making to reduce the impact such an attack could have in the future (such as preloading Strict-Transport-Security into browsers and implementing DNSSEC), and said that they discussed with SWITCH how detection of this type of massive changes can be improved.
Additional reporting on helpnetsecurity and hackread