French domain name registrar and cloud hosting company Gandi suffered a major data breach after hackers managed to infiltrate one of its technical providers and steal login details.
The data breach affected 751 registered domains whose data was then diverted to a malicious site but most of these have been recovered since.
The breach occurred on 7th July but a prompt response from Gandi’s security team ensured that most of these domains were recovered. Following an investigation, the domain name registrar concluded that its network infrastructure was secure and that security vulnerabilities in the connection between Gandi and its technical provider allowed hackers to steal valid login details.
‘In all, 751 domains were affected by this incident, which involved an unauthorized modification of the name servers [NS] assigned to the affected domains that then forwarded traffic to a malicious site exploiting security flaws in several browsers,’ the company said in a blog post.
The said data breach allowed hackers to use domains to spread malicious software in ‘drive-by’ style attacks. Once the domains were compromised, visitors to such domains were redirected to the Keitaro traffic distribution system. Instead of redirecting them to Google, Keitaro TDS redirected visitors to a Rig Exploit Kit where they got infected by a malware named Neutrino Bot.
According to Switch, a registry for .ch domains, while the initial infection took place at 13:00, prompt action by Gandi ensured that all domains were reverted to the legitimate name servers by 16:00 on 7th July.
‘We also strongly encourage you to inform your customers of this situation so that they may take whatever action they deem necessary to protect their devices and data as well,’ said Gandi.
This is a classic example of hackers infiltrating corporate servers to obtain IDs and passwords using which they can launch attacks on users’ mobile devices or computers. According to Barry Shteiman, Director of Threat Research at Exabeam, this also enables hackers to access files and databases at will and also make changes to critical services in order to cause havoc.
‘To stop such cases, businesses need to be able to detect unusual use of valid credentials. This is why behavioural analytics has grown so quickly over the last couple of years. It can help combat insider threats by notifying the security team when someone is doing something that is unusual and risky, both on an individual basis and compared to peers,’ he added.