Ascio Registrar Compromised – Brings Down UPS.com, Theregister and Others

If you tried to visit today the sites for UPS.com, theregister.co.uk, Vodafone, The Daily Telegraph and some other high profile sites, you would have received a scary message saying that they’ve been hacked (by turkguvenligi):

And they were indeed hacked, but not in the way most people think. Their servers were not compromised, in fact it had nothing to do with their sites. Ascio.com, a domain registrar (used by all of them) was hacked, which lead to the DNS servers of those sites to be modified to:

ups.com name server ns3.yumurtakabugu.com.
ups.com name server ns2.yumurtakabugu.com.
ups.com name server ns1.yumurtakabugu.com.
ups.com name server ns4.yumurtakabugu.com.

theregister.co.uk name server ns1.yumurtakabugu.com.
theregister.co.uk name server ns3.yumurtakabugu.com.
theregister.co.uk name server ns2.yumurtakabugu.com.
theregister.co.uk name server ns4.yumurtakabugu.com.

Having control of their DNS, the attackers redirected their web pages to 68.68.20.116 where it had that “hacked” message. And as you can see in their whois information, the records were modified today (at around 1am):

Registrar:
Ascio Technologies Inc t/a Ascio Technologies inc [Tag = ASCIO]
URL: http://www.ascio.com

Record created: 2010-10-04 17:54:28
Record last updated: 2011-09-04 22:24:04
Record expires: 2019-05-17 01:00:00

You know what is scarier? Is that with full DNS control, they would be able to redirect and read any email sent to them, mess with their internal communications, and even steal passwords if SSL/encryption is not used. However, it seems the attackers didn’t do any of the above, since the MX and other records seemed in tact.

You know what is interesting? If they were using our web integrity monitoring, they would have received the alert much sooner that the Whois was modified and later that NS and other IP addresses were changed. Early detection is the key in most cases.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://profiles.yahoo.com/u/BAG7F3RT55PA3ZVOAB2DJ6IZJQ Frank

    “…they would have received the alert much sooner that the Whois was modified and later that NS and other IP addresses were changed” 

    How much time was there between the WHOIS change and the DNS record change?  You suggest there was a time gap, but I would assume the hackers had that domain pre-configured on their DNS server.

    • https://bugcrowd.com/ bugcrowd

      The WHOIS change would have been visible via the Asico’s WHOIS as soon as the change was made.

      However, the effect of this change would have taken a little bit of time to play out as the malicious SOA (referred to as NS here) records propagated across the Internet and DNS clients began to have their queries directed to the malicious DNS server (thereby receiving the malicious host IP address instead of the legitimate one).

  • Adamkerry123

    http://www.180training.com i like comments thanks for sharing ……!

Share This