The Internet Corporation for Assigned Names and Numbers (ICANN) has admitted that a spear phishing attack hit its centralised zone data system (CZDS).
In an update, ICANN said that the attacker obtained administrative access to all files in the CZDS, including copies of the zone files in the system, information entered by users such as name, postal address, email address, fax and telephone numbers, usernames and password.
“Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution,” it said.
Also accessed was the ICANN GAC wiki with the members-only index page and one individual user’s profile page viewed; and unauthorised access was also obtained to user accounts on two other systems: the ICANN blog and the ICANN WHOIS information portal.
It said: “No impact was found to either of these systems. Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANA-related systems.
Troy Gill, manager of security research at AppRiver, said: “ICANN being hacked is quite a scary proposition, as an attacker with unfettered access to the entire ICANN system/s could have caused to serious issues. However, the damage looks to be fairly minimal this time.
“This hack goes to show that not only are internet regulators fallible but they can be a very enticing target given an attackers motivations. The attackers relied on the tried and true method of spear phishing emails to gain access to several staff accounts and pivoted from there.
“The most concerning system that they were able to gain access to is the CZDS. The good news is that the passwords were all stored in salted cryptographic hashes making them virtually useless to the attacker. As an added measure, all stolen passwords were quickly deactivated by ICANN.”
TK Keanini, CTO of Lancope, said: “Readers should really consider themselves in the same boat here, as attacks like this are common and only increasing. The important measure here is how long it took them to discover the attack as the article noted that it happened in late November and was only discovered last week. Some companies don’t identify the attacks for years so by that measure ICANN was on top of their game.
“The people who are listed in these top level zones and everyone who is a DNS administrator should be on top alert because they are likely to be the next target in this spear phishing campaign. In fact, you just need to think about how you or your organisation is connected to ICANN and its data and go about changing authentication or any other data if known by the adversary could be used for an attack. Start threat modelling and thinking like the attacker.”
Earlier this year, ICANN said that it began a program of security enhancements in order to strengthen information security for all ICANN systems. It said: “We believe these enhancements helped limit the unauthorised access obtained in the attack. Since discovering the attack, we have implemented additional security measures.”
Kevin Epstein, VP of advanced security at governance at Proofpoint, said that infiltrating organisations via phishing and social media is a le
ading tactic for such headline-making breaches. “Everyone’s human, and people click,” he said. “The weakest link in security sits between the mouse and the chair – as our research showed, after 100 email phishing messages enter a company, sufficient people will have clicked to download multiple copies of malware if no targeted attack protection is in place.
“This is not simple spam; these are sophisticated malicious communications, that even professionals frequently miss. Even the best-trained organisations in our study showed multiple clicks on every phishing campaign.”
