Fox-IT reveals hackers hijacked its DNS records, spied on clients’ files

Dutch security firm was not protecting its DNS entries with two-factor authentication.

Graham Cluley
Graham Cluley
@[email protected]

Fox-IT reveals hackers hijacked its DNS records, spied on customer files

Kudos to Dutch security firm Fox-IT which has gone public about a cyber attack it suffered in September:

“In the early morning of September 19 2017, an attacker accessed the DNS records for the domain at our third party domain registrar. The attacker initially modified a DNS record for one particular server to point to a server in their possession and to intercept and forward the traffic to the original server that belongs to Fox-IT. This type of attack is called a Man-in-the-Middle (MitM) attack. The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack.”

Whoever launched the attack against Fox-IT was able to redirect emails going to the domain, and inbound traffic to their ClientPortal.

Sign up to our free newsletter.
Security news, advice, and tips.

You can read more about the incident on Fox IT’s website, but I think one thing that is worth highlighting is that if such an attack can hit a security firm, it could most likely hit many other types of businesses which are less focused on security.

The weak link, it appears, was Fox-IT’s choice of domain registrar, responsible for maintaining the company’s DNS records. Those critical DNS entries should have been protected, to prevent this type of attack from succeeding, with two-factor authentication.

But it turns out that Fox-IT’s domain registrar didn’t offer any form of multi-factor authentication. All a criminal needed to hack into their DNS entries was a username and password:

“We chose our DNS provider 18 years ago when 2FA was neither a consideration nor a possibility. We were surprised to find that the registrar still does not support 2FA. It is always worth asking: does your DNS registrar support 2FA? The answer may surprise you.”

It’s a good question, especially when you consider that domain name hijacking can not just result in your customers thinking your systems have been hacked, but also lead to private communications being intercepted.

Past victims of DNS hacking have included WhatsApp, Lenovo, anti-virus firms AVG and Avira, and Bitcoin wallet service

To its credit, Fox-IT appears to have communicated clearly with its customers and partners, contacted those who may have had some data exposed, and is working with law enforcement in the hope of apprehending the culprits.

Given the nature of Fox-IT’s work there are likely to be some interesting theories as to who might have been behind this particular attack, and what they were attempting to spy upon.

One thing is clear. The company has some powerful enemies.

In the past, Fox-IT has published impressive research into the activities of cybercriminal gangs – including the Russian Anunak (aka Carbanak) criminal group which has stolen many millions of dollars from the banking industry and Western retailers.

Don’t learn the lesson the hard way. Protect your website’s DNS entries. Choose decent, unique passwords. Enable two-factor authentication on the account. And, if you have the clout, request that your DNS registrar confirm with a manual phone call if there is ever an attempt to point the records elsewhere.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Fox-IT reveals hackers hijacked its DNS records, spied on clients’ files”

  1. Pascal

    And, if you have the clout, request that your DNS registrar confirm with a manual phone call if there is ever an attempt to point the records elsewhere.

    clout must be cloud i guess

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.