ISC reader Renato Marihno wrote in with some interesting observations out of Brazil the last couple of days. It seems for about 30 minutes on January 3rd, google.com.br did not point to Googles IP space and the nameservers were set to ns1-leader.vivawebhost.com and ns2-leader.vivawebhost.com. The issue was relatively quickly discovered and corrected but still shows the risk that hijacked registrant account access can be for enterprises. You can read Renatos write up on LinkedIn.
This is a reminder that if an attacker controls DNS, they control everything. And if they control your domain registrant account, they control DNS. This attack was crude and easy to discover, but it would be very easy to set of a man-in-the-middle attack using such a technique without a mitigating control like TLS in place. Make sure your domain registry accounts require two-factor authentication and have strong passwords.
--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity