Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Was the Brazilian version of Google hijacked two days ago? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Was the Brazilian version of Google hijacked two days ago?

ISC reader Renato Marihno wrote in with some interesting observations out of Brazil the last couple of days.  It seems for about 30 minutes on January 3rd, google.com.br did not point to Google's IP space and the nameservers were set to ns1-leader.vivawebhost.com and ns2-leader.vivawebhost.com.  The issue was relatively quickly discovered and corrected but still shows the risk that hijacked registrant account access can be for enterprises.  You can read Renato's write up on LinkedIn.

This is a reminder that if an attacker controls DNS, they control everything. And if they control your domain registrant account, they control DNS.  This attack was crude and easy to discover, but it would be very easy to set of a man-in-the-middle attack using such a technique without a mitigating control like TLS in place.  Make sure your domain registry accounts require two-factor authentication and have strong passwords.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

John

239 Posts
ISC Handler
www dot google dot com dot vn

we have seen unusual referrer headers coming from the Vietnamese google locale, over the past 7 days too.
Anonymous

Posts
As I'm writing, uol.com.br was redirected to xvideos.com
Mauro

1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!