ICANN and IANA's domains hijacked by Turkish hacking group

ICANN and IANA's domains hijacked by Turkish hacking group

Summary: What happens when the official domain names of the organizations that issue the domain names in general, and provide all the practical guidance on how the prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community.

SHARE:
TOPICS: Networking
21

What happens when the official domain names of the organizations that issue the domain names in general, and provide allNetDevilz ICANN IANA the practical guidance on how the prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community.

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket's domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being :

The ICANN and IANA websites were defaced earlier today by a Turkish group called "NetDevilz". ICANN is responsible for the global coordination of the Internet's system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.

NetDevilz left the following message on all of the domains :

"You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us? haha :) (Lovable Turkish hackers group)"

NetDevilz ICANN IANA

The following domains were hijacked, and some of them still return the defaced page - icann.net; icann.com; iana-servers.com; internetassignednumbersauthority.com; iana.com.

The hackers are once again redirecting the visitors to Atspace.com, 82.197.131.106 in particular, the ISP that theyNetDevilz ICANN IANA used in the Photobucket's DNS hijacking. And while Photobucket hasn't issued an official statement on the DNS hijack, Atspace.com did so last week, a copy of which you can find here.

The NetDevilz hacking group seems to be taking advantage of a very effective approach when hijacking domain names, and while they declined to respond to an email sent by Zone-H on how they did it,  cross-site scripting or cross-site request forgery vulnerability speculations are already starting to take place.

One thing's for sure though, if the ICANN and IANA can lose control of their domains, anyone can.

Topic: Networking

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Windows is to blame

    I hear that the Internet is basically run on Windows servers so it is hardly surprising that this happened. If ICANN would only switch to OS X I'm sure that no hacker would ever be able to break in.
    NonZealot
    • clueless

      Those servers are probably running some version of Unix, and probably solaris.
      croberts
      • He got you...

        NonZealot was being sarcastic...and you helpfully made his point for him. :)
        wolf_z
    • 8.5 for catching a fish.

      nt
      riverab0@...
  • As of ...

    8:30 AM CST, they all still show the HIJACK and redirect .....
    Linux_4u!
  • Just wait till they do that to some banks!!!!!

    FUBAR

    So much for Internet Security........
    dragon@...
    • Re: Just wait till they do that to some banks!!!!!

      I'm more concerned about the situation when commercially oriented parties like malware authors learn how to do this on their own. So far, NetDevilz are doing nothing else but a proof of concept with no financial gain. They could have redirected to live exploit URLs, and actually served fake sites to obtain accounting data in Photobucket's case for instance. The hijack in the currest state is a indirect denial of service attack against the affected parties.
      ddanchev
  • RE: ICANN and IANA's domains hijacked by Turkish hacking group

    I think the U.S. federal government and the U.S. military would be very interested in this.
    pwford@...
    • RE: ICANN and IANA's domains hijacked by Turkish hacking group

      You're thinking in the right direction, however, the impact of such hijackings affect every country's military and government.
      ddanchev
      • An interesting take on these kinds of things...

        Has anyone read the "Freedom of the Cyber Seas" article by Aaron Turner & Michael Assante? While dealing primarily with the US response to cyberthreats, it does make an analogy to international maritime law because of the gobal impact of these threats.

        http://www.csoonline.com/article/329164/Freedom_of_the_Cyber_Seas/1
        StephG72
  • question4ddanchev - are ip addresses vulnerable?

    I realize this is entirely about DNS, so if a person wants to securely connect to an Internet appliance they could use an ip address rather than rely on DNS to translate, but how easy would it be to hijack ip tables these days? I know it used to be easy...
    waecaidr@...
    • Re: question4ddanchev - are ip addresses vulnerable?

      The opportunities to do it in a misconfigured or compromised environment are countless - when there's a will there's a way. Even worse, when a clerk is empowered for the sake of efficiency, the old fashioned approach of having someone else do it for you, still works. A recent case :

      http://it.slashdot.org/article.pl?sid=08/04/29/2254242

      Once again, in a misconfigured or compromised environment, anyone can create a "twisted reality" if they put enough personal efforts into the attack.
      ddanchev
  • RE: ICANN and IANA's domains hijacked by Turkish hacking group

    I'm not particularly surprised by this, although I do admit it was unexpected. So far as I know, so far all they've done is leave turdlets behind; which so far is something to be grateful for, IMO.
    Have they done/Are they doing, any actual harm? If not, I consider their actions a great contribution to the security of the internet and an overdue wake-up call: Security has taken on a lazy attitude with little but greedy hackers looking to pull in bucks from any sucker they can get to believe them.
    Maybe it's time for something new and better, but what? I sure don't know. Meanwhile I keep a healthy amount of paranoia handy and refrain from being stupid enough to trust anything important to the 'net.

    I also have to just love it when some author says they wouldn't resond to an e-mail about how they did it? Duhhh!

    Want something interesting to do? Call your bank and present a scenario to them that empties your bank accounts to the full limit of FDIC et al (N.A) and ask them if you're covered for that kind of theft. Then ask for written proof. You'll find it a really interesting exercise.
    twaynesdomain-22354355019875063839220739305988
  • Obvious solution

    The solution is obvious: Stop using domain names. Use IP addresses only. Everyone should just know the IP addresses of their favorite sites. ;-)
    cburkitt2
    • LOL ....

      207.44.152.83
      69.32.142.109
      216.34.131.135
      guy@...
    • Re: Obvious solution

      Could be in an IPv4 Internet, but what about IPv6?

      http://www.ietf.org/rfc/rfc2732.txt
      ddanchev
  • Not just the domain registrar..

    they're also another victim club member.
    3dguru
  • Master Joe Says...

    Of course, the first comment comes from some absolute moron who blames Windows for this. Look back a couple of months in ZDNet, to an article that refers to the most vulnerable attack currently affecting corporate and enterprise networks. I believe it was UNPROTECTED LINUX MACHINES on the network. Those who sit around saying that Linux and Mac cannot get viruses should be absolutely ashamed to call themselves a aprt of the IT industry. That's like suggesting that a certain make or model of car is completely invulnerable to a breakdown or engine failure. It just doesn't happen that way. The difference in the two is that there aren't thousands, or even millions, of malicious hackers out there looking to exploit and control as many cars as possible, but that isn't the case for computers. And, if you're a malicious hacker, why are you going to target an operating system that only accounts for %5, or so, of the market share, when tehre is one that, all by itself, holds over 90%? Therefore, to say that Windows is to blame is absolutely ridiculous, and you should be embarassed to have posted that for all to see. As far as the article, notice that these attacks come from other countries all the time? They come from China, Nigeria, the UK, Turkey, the Netehrlands, and a variety of others. Why? Because there aren't the strict laws like we ahve in the US, which detur MOST of the criminal activities that some people might be compelled to participate in. In addition, many of these "hackers," and I use the term VERY loosely, are 15-year-old script kiddies, who just happened to get a hold of the right software, and probably have no idea how they even did it. This particular case, with ICANN, and IANA, is most likely not the case, but the punishment for doing so should be the same. If you hack a domain, which aws registered with a registrar based in a particular country, the laws of that country should bind you. Therefore, if you attack a domain, which was registered in the US, the laws of the US government should apply. If someone from the US were to attack a major Chinese operation, you can be sure that their government woudl be screaming for that person's head, or that group of peoples' heads. Accepting accountibility, or taking liability for actions is something that the rest of the world has decided to quit doing. Yes, it's true that China, being a Communist country, is already well in the wrong direction, but this now affects other countries. Turkey, named after a delicious part of our Thanksgiving dinners, doesn't have the excuse of being a bunch of dumb Communists. They call themselves the NetDevilz, maybe they shoudl spend the rest of their lives in the hell of the US federal prison system.

    --Master Joe
    SteelCityPC
  • Obviously they're plugging FreeBSD.

    Look at the cute BSD daemon mascot - it's obvious they're plugging freebsd.
    kraterz
  • RE: ICANN and IANA's domains hijacked by Turkish hacking group

    Nothing is secure in todays technology & nothing is impossible.To avoid this hacking every user has to have a security device to get access to the website.
    alishariefm