The Latest in IT Security

Ascio Registrar Compromised – Brings Down UPS.com, Theregister and Others

05
Sep
2011


If you tried to visit today the sites for UPS.com, theregister.co.uk, Vodafone, The Daily Telegraph and some other high profile sites, you would have received a scary message saying that they’ve been hacked (by turkguvenligi):

And they were indeed hacked, but not in the way most people think. Their servers were not compromised, in fact it had nothing to do with their sites. Ascio.com, a domain registrar (used by all of them) was hacked, which lead to the DNS servers of those sites to be modified to:

ups.com name server ns3.yumurtakabugu.com.
ups.com name server ns2.yumurtakabugu.com.
ups.com name server ns1.yumurtakabugu.com.
ups.com name server ns4.yumurtakabugu.com.

theregister.co.uk name server ns1.yumurtakabugu.com.
theregister.co.uk name server ns3.yumurtakabugu.com.
theregister.co.uk name server ns2.yumurtakabugu.com.
theregister.co.uk name server ns4.yumurtakabugu.com.

Having control of their DNS, the attackers redirected their web pages to 68.68.20.116 where it had that “hacked” message. And as you can see in their whois information, the records were modified today (at around 1am):

Registrar:
Ascio Technologies Inc t/a Ascio Technologies inc [Tag = ASCIO]
URL: http://www.ascio.com

Record created: 2010-10-04 17:54:28
Record last updated: 2011-09-04 22:24:04
Record expires: 2019-05-17 01:00:00

You know what is scarier? Is that with full DNS control, they would be able to redirect and read any email sent to them, mess with their internal communications, and even steal passwords if SSL/encryption is not used. However, it seems the attackers didn’t do any of the above, since the MX and other records seemed in tact.

You know what is interesting? If they were using our web integrity monitoring, they would have received the alert much sooner that the Whois was modified and later that NS and other IP addresses were changed. Early detection is the key in most cases.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments