On Saturday, hundreds of Pakistani portals and Web sites for some major organizations were by all appearance compromised, and defaced. However, as it turns out, a group of hackers used DNS redirection in order to perform the stunt, which allowed the domains time to recover – but not before the damage was done.
According to mirror records on Zone-H; Pakistani URLs maintained by Sony, Microsoft, Yahoo, PayPal, Fanta, Coke, Apple, HP, and Google all had their DNS poisoned and redistricted to websites with tags from a known Turkish hacking group. The DNS attack was enabled by a vulnerability in the registration scripts used by PKNIC. Some reports indicate that more than 300 domains were affected as a result of the attack.
PKNIC is responsible for the administration of all .PK domain names, including the operation of the DNS for the Root-Servers for .PK itself.
According to reports, PKNIC was warned about the vulnerabilities earlier this month, but dismissed the warnings as a joke or unreliable. In response, the hackers proved their point by targeting some of the largest domains held by them.
As Ram Mohan notes in a SecurityWeek column, “Attackers know that if they can control or impair their target's DNS, they achieve absolute leverage over their victim.” This is exactly what appears to be the case regarding the affected .pk domains this weekend.
“Why we have wasted our time to hack Pakistani Sites? Just because let us convey our message. We warned you and we were willing to fix your vulnerability but you think we are jokers and you guys took it as a joke? Yes it’s time to bang you guys!!” a translation of a hacked domain reads.
Interestingly enough, it would seem that PKNIC should have known something was wrong, when several Israeli domains had their DNS settings poisoned by supporters of OpIsrael, using the same vulnerability.
As to the vulnerability itself, PKNIC hasn’t issued any statements, but the current speculation is that they were open to SQL Injection and Cross-Site Scripting (XSS). The SQL Injection / XSS rumor grew early Monday morning, when alleged proof from one of the hacker’s involved in this weekend’s incident sent proof to security blog eHacking News.
“The hackers have claimed to have discovered a Boolean-based blind SQL injection, persistent cross site scripting, sensitive directory disclosure vulnerabilities in the official website of PKNIC,” the blog explained.
As of Monday morning, all of the targeted websites had recovered.
Related Reading: Five DNS Threats You Should Protect Against
Related Reading: The Top Five Worst DNS Security Incidents
Related Reading: The Implementation Challenges for DNSSEC
Related Reading: Four Ways to Prepare Your Enterprise for DNSSEC
Related Reading: Five Strategies for DNSSEC Key Management and Rollover
Related Reading: The Missing Ingredients for DNSSEC Success