Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Was the Brazilian version of Google hijacked two days ago?

Published: 2017-01-05
Last Updated: 2017-01-05 22:46:48 UTC
by John Bambenek (Version: 1)
2 comment(s)

ISC reader Renato Marihno wrote in with some interesting observations out of Brazil the last couple of days.  It seems for about 30 minutes on January 3rd, did not point to Google's IP space and the nameservers were set to and  The issue was relatively quickly discovered and corrected but still shows the risk that hijacked registrant account access can be for enterprises.  You can read Renato's write up on LinkedIn.

This is a reminder that if an attacker controls DNS, they control everything. And if they control your domain registrant account, they control DNS.  This attack was crude and easy to discover, but it would be very easy to set of a man-in-the-middle attack using such a technique without a mitigating control like TLS in place.  Make sure your domain registry accounts require two-factor authentication and have strong passwords.

John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

2 comment(s)
Diary Archives