Hosting provider LeaseWeb falls victim to DNS hijacking

The company believes attackers obtained domain administrator credentials and used them to change the domain's DNS records at the registrar

By Lucian Constantin, IDG News Service |  Security

Hosting provider LeaseWeb became the latest high-profile company to have its domain name taken over by attackers, highlighting that DNS (Domain Name System) hijacking is a significant threat, even to technically adept businesses.

For a short time on Saturday, leaseweb.com, the company's main website, was redirected to an IP address that wasn't under its control. This was the result of a so-called DNS hijacking attack in which attackers managed to change the authorized name servers for the company's domain name.

Due to the way DNS records get propagated through Internet servers and the fact that some DNS resolvers cache the records for a longer time than others, not all users were affected by the incident.

However, those users who were impacted and attempted to visit the company's website were redirected to a Web page crediting a hacker group called KDMS Team for the attack.

The rogue page contained messages from the hackers, including "what are you is a hosting company with no security" and "we owned all of your hosted sites."

"Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed," LeaseWeb said in a blog post Sunday after resolving the issue. "No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack."

LeaseWeb is a large provider of public cloud, private cloud, dedicated hosting, colocation and content delivery services with subsidiaries in the U.S., Germany and the Netherlands. It has over 15,000 customers that range from small businesses to large enterprises and claims to manage almost 4 percent of global IP traffic.

LeaseWeb is still investigating how attackers managed to change the DNS records for its domain name, but it appears that they gained access to the domain administrator password at the domain registrar from which LeaseWeb bought its domain.

Spear phishing might have been a part of the attack, but at this point the investigation is ongoing so there's no definitive answer, Alex de Joode, senior legal counsel of LeaseWeb, said Monday via email.

Because of this attack, emails sent to @leaseweb.com addresses while the rogue DNS records were in place did not reach the company's email server. The rogue Web server where the domain was pointed by the attackers did not have email service configured, so no email messages were compromised, de Joode said.

There's also no indication the rogue Web page served malware or was used to steal credentials, he said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question