A pro-Palestinian hacktivist group managed to briefly hijack the Metasploit website of security firm Rapid7 on Friday after faxing a DNS change request to its registrar, the firm’s chief research officer HD Moore has admitted.
News of the attack emerged when newbie hackers ‘Kdms Team’ announced the takeover on Twitter with a series of brief messages concluding with a simple “Hello Rapid7.”
The attack appears to have lasted for a period of nearly an hour before Rapid7’s Moore took to Twitter to reply. “I can confirm that the DNS settings were changed for a few minutes and pointed to 18.104.22.168,” he said.
After ruefully admitting the attack had been “creative”, Moore said that it had occurred after a simple bogus fax request to its registrar, Register.com. “Hacking like its 1964,” Moore added, gamely.
Earlier this week, the same Kdms Team burst on to the hacktivist scene with an identical and equally embarrassing attack and on several Internet firms, including security firms AVG, Avira and messaging firm WhatsApp. That attack pivoted around a more orthodox password change request to Network Solutions.
Where the group got the DNS change idea from is no mystery. In late August the New York Times suffered a serious domain-redirection attack by the Syrian Electronic Army (SEA) that kept the site offline for several days. As with the New York Times, Rapid's Moore admitted the firm does not use domain locking to raise the level of authentication require for DNS change requests.
“We sign binaries, publish checksums, and authenticate updates, so not a big deal, just annoying,” commented Moore.
“When security companies can be hijacked, that's a good indicator of how fragile DNS is and what a single point of failure DNS providers have become,” commented Robert Hansen, technical evangelist at WhiteHat Security.
“Hijacking session tokens, stealing usernames and passwords and redirecting email are just some of the things that become possible when DNS is hijacked,” he said.