[dns-operations] FireEye reports long-running DNS hijacking campaign
Paul Hoffman
phoffman at proper.com
Sat Jan 12 17:36:47 UTC 2019
On 12 Jan 2019, at 9:05, Barry Raveendran Greene wrote:
> The press cycle is disturbing. The quick summary, threat-actors are
> breaking into the registrar and (it appears) the primary servers. They
> then set up long term MITM interceptions through proxies.
>
> It is not really a “hijack.”
From the description in the FireEye article, it is indeed a hijack, but
only for a short term. They revert to the regular A or NS records as
soon as they have intercepted what they want, likely to reduce the
chance of exposure. (The article admits that it is not a complete
description of the attack.)
--Paul Hoffman
More information about the dns-operations
mailing list