Gandi hosting’ logins breached; 751 domains diverted to malware site

In some cases, the domains were diverted to Rig Exploit Kit.

Gandi SAS, a French web hosting company has announced that it suffered a security breach after hackers got hold of the valid login details to one of the company’s technical providers who manage a number of geographic TLDs.

The hackers were then able to divert traffic for over 751 domains to a malicious website. Gandi had issued an incident report according to which the breach took place on July 7 at 11:00 UTC (4:00 AM PDT) when hackers modified the name servers [NS] of the targeted domains.

More:  OVH hosting suffers 1Tbps DDoS attack; largest Internet has ever seen

The incident report also reveals that the traffic diversion to the malicious site exploited security flaws in several browsers. Furthermore, Gandi shared a full list of affected TLDs (Top-level domain) which included: 

".ASIA, .AT, .AU, .CAT, .CH, .CM, .CZ, .ES, .GR, .HK, .IM, .IT, .JP, .LA, .LI, .LT, .LV, .MG, .MS, .MU, .NL, .NU, .NZ, .PE, .PH, .PL, .RO, .RU, .SE, .SH, .SI, .SX, .UA, .XN–P1AI (.рф)."

Barry Shteiman, Director of Threat Research at Exabeam commented on the issue and told HackRead that: 

“The theft of IDs and passwords is by far the most common goal for today’s cyber attackers. Valid credentials really are the keys to the kingdom, once a hacker has them, they have a legitimate means to access files and databases at will, or as in the Gandi case, make changes to critical services in order to cause havoc.”

“To stop such cases, businesses need to be able to detect the unusual use of valid credentials. This is why behavioral analytics has grown so quickly over the last couple of years. It can help combat insider threats by notifying the security team when someone is doing something that is unusual and risky, both on an individual basis and compared to peers.”

While Switch, the registry for .ch domains was also alerted about this incident in which attackers used domains to spread malware in “drive-by” style attacks. 

In a security notice, Michael Hausding of Switch said that a .ch domain owner alerted the company that his .ch zone points to the wrong name servers. In some cases, the domains were diverted to Rig Exploit Kit.

“The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the only domain that had unauthorized changes. We identified 93 additional .ch and .li domain names that pointed to the two rogue name servers. While domain hijacking by pointing to a rogue NS is a known attack, 94 domains on a single day is very unusual. So we analyzed what the hijacked domains were used for and soon found out that they are used to infect internet users with malware,” writes Hausding.

At the time of publishing this article, both Gandi and Switch reported that issue has been resolved. However, it is still unclear who the attackers were or how did they conduct the attack.

More:  Brazil's largest news portals UOL and Folha hacked; redirected to RedTube

Sponsored: DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Written by Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.