Gandi, a domain name registrar and cloud hosting company, admitted over 750 web addresses stolen.
On July 7, an unidentified attacker obtained the company’s login, which granted him access to a technical provider connecting to 27 top-level domains. Those included .au, .asia, .ch, .se, and .jp.
The login credentials enabled the attacker to configure details on official nameservers for 751 domain addresses. He then rerouted all the hijacked domains to a malicious website.
It wasn’t until after four hours that one of the registry operators noticed something suspicious about the changes. Shortly, company’s technical experts reset the logins and began resolving the issue. Overall, the whole process lasted for more than three hours.
This week, Gandi published a detailed report talking about the incident. According to it, “the unauthorized changes were in place at the most for 8 to 11 hours.”
SCRT, a Swiss information security company, was one of those affected by the hijack. They posted about the attack on their blog. Commenting on the situation, they stated that the attacker redirected their website “to another host serving up an exploit kit that would try to infect vulnerable browsers.”
The company also added that they couldn’t receive their incoming emails, as the hijacker redirected them to another server. However, the attacker did not configure that mail server and couldn’t get ahold of the emails.
SCRT went on to mention that the hijacker could as well use this kind of attack to obtain and read the company’s incoming emails. Once the attack was over, the company took additional security measures to better protect their website and DNS. Those included:
- Preloading Strict-Transport-Security into browsers to ensure protection for all visitors.
- Monitoring DNS resolution by means of crawling the entire hierarchy.
- Discussing better detection methods for similar attacks with its registry (.ch).
- Implementing Domain Name System Security Extensions (DNSSEC).
At the moment, Gandi’s security specialists are actively working towards figuring out how the attack could happen in the first place.
In its report, the company apologized for the incident, saying: “We sincerely apologize that this incident occurred. Please be assured that our priority remains on the security of your data and that we will continue to protect your security and privacy in the face of ever-evolving threats.”