Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

This Monday, the domain registrar Gandi posted a report in its blog that, on the Friday before, 751 customer domain registrations at 34 top-level registries had been redirected for several hours to servers distributing malware. Apparently Gandi's own account with with an intermediary between them and the 34 registries in question was compromised, with all the changes made through this account over a period of one hour and forty minutes from 08:04 UTC that morning, and then began being reverted by Gandi staff some four hours later. In the worst case would have lasted for a total of up to 11 hours as the corrective measures took their time to propagate through the network.
To their credit, Gandi have been open and honest about the incident from the moment it was brought to their attention.
Again, more than one perspectives on this incident arise. How did it occur, what was the impact, and how could it have been prevented or detected sooner?
Gandi's best guess, at present, as to the cause is that credentials were hijacked from an insecure connection to their partner's portal, which until late 2016 was still conducting unencrypted transactions. How someone would have intercepted this traffic is unclear, but it highlights the risks of unencrypted traffic. A sophisticated attacker does not necessarily need to be directly "in line" to gain a view of network packets between end points. Various methods exist for a sufficiently well resourced attacker to cause packets to take a different path over which they have control or visibility.
The impact is difficult to assess. Reports do not clarify where the domains in question were redirected to, or what malware was being distributed from it, but the spectrum of domains manipulated is sufficiently broad to suggest that it was not a specifically targeted attack, but rather an attempt at spreading the malware world-wide. It is possible that this was a very big net to catch a small fish, but it seems more likely that it was a criminal activity aimed at as large a population of victims as they could reach, which in turn suggests it was probably one of two things: ransomware, or botnet software.
How the incident could have been prevented is easy, if Gandi's own surmise is correct. Sensitive transactions should never have been taking place over unencrypted HTTP, and credentials in use in late 2016 should not still be valid. With all the threats presented in the contemporary world there is very little technical reason why all traffic across the public Internet should not be encrypted over TLS, but certainly anything sensitive should. Credentials, no matter what for, be they human interactive accounts or automated B2B services should be subject to periodic expiry and renewal. This tends to happen for regular user accounts, but machine and process or administration accounts are often over-looked.
Detection, here, is probably the hardest issue to address. The changes were made remotely through Gandi's account on with a third-party system. Short of actively monitoring the registration state of all their customers domains (which they claim number around 2.1 million) in real time, it is hard to see how detection could have been improved beyond them being notified of the anomalous behaviour by one of the affected registries as actually happened.