SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (AA19-024A) centered around a Domain Name System (DNS) infrastructure hijacking campaign.

The Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

These common attacks have been proven across healthcare, finance, government, and defense industries. Their widespread availability presents a challenge for network defense and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks.

To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Newly developed playbook methods related to AA19-024A

Playbook # 2182 - Write DNSPionage (AA19-024A) malware to disk

  • Endpoint Controls - Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook #2183 - Transfer of DNSPionage (AA19-024A) malware over HTTP/S (Lateral Movement)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2184 - Transfer of DNSPionage (AA19-024A) malware over HTTP/S (Infiltration)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2185 - Email DNSPionage (AA19-024A) malware as a ZIP attachment (Lateral Movement)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2186 - Email DNSPionage (AA19-024A) malware as a ZIP attachment (Infiltration)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Additional breach methods added recently include:


Subscribe to blog post