Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Expired Domain Allowed Researcher to Hijack Country’s TLD

A researcher claimed last week that he managed to take control of the country code top-level domain (ccTLD) for the Democratic Republic of Congo after an important domain name was left to expire.

A researcher claimed last week that he managed to take control of the country code top-level domain (ccTLD) for the Democratic Republic of Congo after an important domain name was left to expire.

Before the holidays, Fredrik Almroth, founder and researcher at web security company Detectify, decided to analyze the name server (NS) records used by all TLDs. These NS records specify the servers for a DNS zone.

He noticed that a domain named scpt-network.com, which had been listed as a name server for .cd, the TLD for Congo, had been left to expire. Almroth realized that the domain could be highly valuable to a bad actor so he quickly acquired it himself to prevent abuse.

The remaining name servers managing the .cd TLD belonged to South African Internet eXchange (SAIX), which kept the TLD operational. However, gaining control over the scpt-network.com domain could have still allowed a malicious actor to hijack half of the DNS traffic for .cd websites.

Congo TLD cd name servers

Almroth believes the impact could have been significant considering that the African country has a population of approximately 90 million people, as well as the fact that many international organizations have a .cd website.

The researcher noted that a threat actor could have redirected DNS traffic from legitimate sites to phishing or other malicious websites, they could have passively intercepted DNS traffic for surveillance purposes or data exfiltration, or they could have used it for fast fluxing, to hide malicious websites.

Hackers could have also abused this access for remote code execution on local networks, they could have taken control of the domains of high-profile organizations, or they could have launched DDoS attacks against a specific target. They could have also disrupted much of the TLD, Almroth said.

In a blog post published last week, the researcher provided examples of how some of these attacks could have been carried out.

Advertisement. Scroll to continue reading.

Almroth has been trying to return scpt-network.com to its rightful owner and, in the meantime, name servers have been replaced with scpt-network.net by the administrators of the TLD, who were notified by the researcher in early January.

“The potential implications for DNS hijacking of a ccTLD are widespread and have extreme negative consequences, especially if the attacker has bad intentions,” Almroth explained in his blog post. “This vulnerability affects more than a single website, subdomain, or even a single apex domain. All .cd websites, including those for major international companies, financial institutions, and other organizations that have a .cd domain in Africa’s second most populous country could have fallen victim to abuse, including phishing, MITM, or DDoS.”

Related: DHS Warns Federal Agencies of DNS Hijacking Attacks

Related: Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users

Related: State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.