The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of
i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.
Reverse DNS records show that in late March nsd.cafax.com resolved to a malicious IP address controlled by the attackers. NSD is often used to abbreviate name server demon, an open-source app for managing DNS servers. It looks unlikely that the attackers succeeded in actually compromising Cafax, although it wasn’t possible to rule out the possibility.
Read 22 remaining paragraphs | Comments