Registrar in Metasploit DNS Hijacking Not Duped by Fax

Rapid7 said today that an employee at its registrar, Register.com, was duped out of their credentials leading to a DNS hijacking attack against the Rapid7 and Metasploit websites.

The registrar for the Metasploit and Rapid7 websites, both of which were victims of a DNS hijacking attack on Friday, was not duped by a spoofed change request sent via fax as it originally reported.

Instead, a Register.com employee likely fell victim to a social engineering scam that resulted in the loss of the employee’s legitimate credentials that were used to infiltrate the registrar and manipulate the DNS settings for both sites.

The homepages for Metasploit and Rapid7 pointed to a website reportedly belonging to a pro-Palestine hacker collective going by the name KDMS. The group hijacked the sites and visitors were greeted with a note claiming responsibility for the attacks and similar DNS hijackings carried out against other security companies.

A Rapid7 spokesperson said that Register.com updated the company today, adding that the original report was unintentionally communicated by Register.com.

“We’re waiting to receive the report from Register.com and we don’t know exactly when we’ll get it (though obviously we’re hoping for it as soon as possible),” Rapid7 said in a statement sent to Threatpost. “Once we have the information, we will absolutely share what we can to help educate others so they can protect themselves from the same threats.”

Rapid7 chief security officer and Metasploit creator HD Moore said via a stream of tweets on Friday morning that the DNS hijacking was quickly resolved and cautioned others working with Register.com to check their respective DNS records because the group claiming responsibility likely had the ability to redirect any domain with that registrar.

The attack on Register.com capped off a busy week of similar attacks against registrars. KDMS claimed responsibility for an attack against Network Solutions, a large U.S.-based domain registrar and hosting provider. A number of security companies working with Network Solutions suffered similar DNS hijackings and had traffic redirected to a KDMS-controlled domain.

A similar attack was carried out against Leaseweb, though it was originally reported that the registrar was compromised via an exploit of a vulnerability in WHMCS client and billing software used by the company. That was quickly refuted by Leaseweb in a statement on its website; Leaseweb said the attackers obtained a domain administrator password and used the credentials to access the registrar.

The WHMCS bug, which has been patched, was used to attack Pure VPN. Attackers were able to reach the VPN provider’s user database and send out a mass email that said the service was to be shut down and some customers could soon be hearing from law enforcement.

“Further and thorough audit on our VPN systems has confirmed that there was absolutely no breach on the VPN network and throughout the incident our VPN service continued to operate securely,” PureVPN cofounder Uzair Gadit wrote in an email to customers. “No technical usage data was compromised and since we do not store users activity logs, our users are hereby assured of full anonymity and security throughout.”

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.