Thousands of Dutch websites served up malware this week after what was initially thought to be a DNS server hack at SIDN, the Dutch administrator of the .nl domain extension.
On Monday, the website of large Dutch online electronics retailer Conrad.nl was reportedly found to be serving malware, and was taken down shortly after. What appeared to be an isolated incident at first would soon turn out to be a much bigger problem.
According to several news reports, hackers managed to access the DRS (domain registration system) of SIDN on Monday morning, effectively rerouting traffic in SIDN's DRS system to external name servers. According to Dutch security firm Fox-IT, who investigated the matter, the hack affected thousands of domains, all forwarding unsuspecting visitors to a page showing 'Under Construction', while serving malware via an iframe. The malware in question was the , which grants itself access to PCs via Java and PDF weaknesses. Once downloaded, it then downloads other malware which then communicates with C&C servers via Tor.
Even though the redirects were discovered fairly quickly, the ripple effect of the problems lasted significantly longer, since the name servers were given a DNS time to live of 24 hours, meaning that many ISPs used the erroneous DNS zone up to 24 hours after it was set.
Meanwhile, SIDN released a statement explaining that several news reports on the incident were misleading: "Early on Monday, one particular registrar's DRS account (Digitalus) was used to make changes to the DNS. That registrar's name server details were replaced in the DNS with falsified details. As a result, people trying to visit the websites of that registrar's customers were directed elsewhere. SIDN's DRS was not interfered with, which would have had significant generalised implications for registrars, their customers and other market players. We wish to stress that SIDN's systems were not compromised".
The incident marks the second time in two months that SIDN has faced a security issue. Last month, hackers managed to compromise the systems of the domain administrator by means of an SQL injection after which malware was placed on their servers. However, the administrator stresses that this hack is not related to the current incident and that the login to the DRS account used to reroute the DNS was not obtained during that hack. Meanwhile, the Dutch National Cyber Security Center (NCSC) is investigating the incident.