Keypoints
- DNS hijacking lets attackers modify DNS records to redirect legitimate domains to attacker-controlled servers for phishing, defacement, or other abuse.
- Detection processes an average of 167 million new DNS records daily, extracting 74 features from passive DNS and geolocation data for machine-learning classification.
- Between March 27 and Sept 21, 2024, the pipeline processed over 29 billion new records and identified 6,729 hijacking records (about 38 per day on average).
- Notable incidents include hijacks affecting a Hungarian political party (dkujpest[.]hu), a major U.S. utility company, a large ISP, a university (uts.ac[.]id), and a research center (c-sharp[.]in).
- Palo Alto Networks provides automated protection via Next-Generation Firewall with Advanced DNS Security and offers detection/response tooling through Cortex Xpanse and Cortex XSIAM.
- Unit 42’s post-processing (WHOIS checks, active crawls, certificate/content comparison) reduces false positives and enables quick customer protection, with detection in about 10 minutes in the new model.
MITRE Techniques
- [T1071] Command and Control – Use of multiple command-and-control domains to maintain communications with compromised systems. (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1003] Credential Dumping – Attackers harvest credentials from infected machines to escalate access. (‘It then harvested various credentials’)
- [T1566] Phishing – Hijacked domains were used to host phishing pages to steal login details. (‘redirected users to phishing sites to steal their login credentials’)
- [T1176] Domain Fronting – Abuse of legitimate domain infrastructure to mask malicious activity and make communications appear legitimate. (‘Uses a legitimate domain to mask malicious activity.’)
- [T1190] Exploitation of Public-Facing Applications – Targeting vulnerabilities or weaknesses in publicly accessible services to change DNS records or site content. (‘Targets vulnerabilities in publicly accessible applications.’)
Indicators of Compromise
- [Domains] Hijacked domain examples – dkujpest[.]hu, c-sharp[.]in (used to host phishing or gambling sites).
- [IP addresses] Attacker-hosted IPs – 176.9.24[.]28, 139.59.255[.]10, and 3 more IPs (other observed hijack endpoints include 135.148.57[.]147, 152.70.176[.]210, 159.223.92[.]200).
- [Nameservers] Malicious NS records – ns1[.]csit-host[.]com, ns2[.]csit-host[.]com (used when nameservers were redirected to the attacker IP).
- [Subdomains/Records] Hijacked host records – mail.uts.ac[.]id, ns5.uts.ac[.]id (added/changed during the uts.ac[.]id hijack to point at attacker-controlled IPs).
Palo Alto Networks’ Unit 42 explains how they detect DNS hijacking by combining massive passive DNS (pDNS) stores and geolocation data with a trained random-forest model. The system filters new DNS records, computes 74 features that compare new resolutions to historical behavior, and uses WHOIS checks plus active web crawls and certificate/content comparisons to confirm true hijacks and reduce false positives.
The detection pipeline flagged thousands of suspicious records from billions of new entries and surfaced several high-profile incidents in early 2024: a Hungarian political party’s site (dkujpest[.]hu) redirected to phishing pages, multiple U.S. organizations’ sites defaced and pointed to 176.9.24[.]28 (linked to Garuda Security defacements), and academic/research domains repurposed to host illicit gambling. These cases illustrate attackers’ tactics: nameserver changes, reuse of attacker IP space, and reuse of hijacked domains for phishing and monetized abuse.
Customers can gain automated protections via Palo Alto Networks’ Next-Generation Firewall with the Advanced DNS Security subscription, while Cortex Xpanse and Cortex XSIAM help identify susceptible CNAME/NS records and respond to subdomain risks. Unit 42 also offers incident response support for urgent compromises.
Read more: https://unit42.paloaltonetworks.com/detect-dns-hijacking-passive-dns/