ICANNWiki

Compromised Domain: Difference between revisions

← Older edit
GovernanceBot (talk | contribs)
Bots, Interface administrators, Administrators (Semantic MediaWiki), Editors (Semantic MediaWiki), Administrators, Trusted Users
17,736 edits
VisualWikitext
Jessica (talk | contribs)
Bureaucrats, Check users, lookupuser, Administrators, translator
14,952 edits
No edit summary
Applied modification ruleset: References normalization
 
(One intermediate revision by one other user not shown)
Line 16: Line 16:
Adversaries hijack domains and/or subdomains to target victims.  
Adversaries hijack domains and/or subdomains to target victims.  
===Registration Hijacking===
===Registration Hijacking===
Threat actors may change the registration of a domain name without the permission of the original registrant. They may gain access to an email account for the person listed as the owner of the domain and then claim that they forgot their password to change to the domain registration. They could also engage in [[Social Engineering]] with the help desk to gain access to an account or take advantage of renewal process gaps.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>  
Threat actors may change the registration of a domain name without the permission of the original registrant. They may gain access to an email account for the person listed as the owner of the domain and then claim that they forgot their password to change to the domain registration. They could also engage in [[[Social Engineering Attacks|social engineering]] with the help desk to gain access to an account or take advantage of renewal process gaps.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>
 
===Subdomain Hijacking===
===Subdomain Hijacking===
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>
Line 22: Line 23:
==Examples==
==Examples==
* Connected with China's 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, [[APT1]] hijacked 141 victim organizations across multiple industries beginning in 2006. APT1 hijacked fully qualified domain names/absolute domain names associated with legitimate websites hosted by hop points.<ref>[https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units APT1:Exposing One of China's Cyberespionage Units, Mandiant]</ref>
* Connected with China's 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, [[APT1]] hijacked 141 victim organizations across multiple industries beginning in 2006. APT1 hijacked fully qualified domain names/absolute domain names associated with legitimate websites hosted by hop points.<ref>[https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units APT1:Exposing One of China's Cyberespionage Units, Mandiant]</ref>
==References==
== References ==
{{reflist}}
[[Category:DNS Abuse]]
[[Category:DNS Abuse]]
Retrieved from "https://staging.icannwiki.org/Compromised_Domain"