Here's how the attackers gained access to DNS records
Palestinian hackers of KDSM Team have managed to deface several high-profile websites, including the ones of AVG, Avira and WhatsApp. Moments ago, Avira representatives have confirmed for Softpedia that this is a case of DNS hijacking.“It appears that several websites of Avira as well as other companies have been compromised by a group called KDMS. The websites of Avira have not been hacked, the attack happened at our Internet Service Provider ‘Network Solutions’,” Avira Security Expert and Product Manager Sorin Mustaca said in a mailed statement.
According to Mustaca, the DNS records of the impacted websites have been changed to point to arbitrary domains.
“It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request not being initiated by anyone at Avira,” the expert explained.
“Network Solutions appears to have honored this request and allowed a 3rd party to assume control of our DNS. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.”
Avira reassures customers that their internal networks have not been compromised. Until all DNS entries are back in their possession, the company has shut down all external services.
“We are working with the ISP to receive control on the domain name and only when we have solved the problem we will restore the access to the Avira services. At this point we are not aware of any effect to our customers,” Mustaca concluded.
While this statement comes only from Avira, the scenario is most likely the same for all the impacted companies.
Additional details will probably be provided by Network Solutions in the upcoming hours. Stay tuned to find out more.
Update. Avira has published a blog post regarding this incident. Follow it for any updates.