14 DAY TRIAL // The usernames and passwords of several ICANN staff members have fallen into the hands of unknown individuals as a result of a phishing campaign, facilitating unauthorized access to a few sensitive systems.
ICANN, short for Internet Corporation for Assigned Names and Numbers, is a non-profit organization in charge of watching over the IP address space at global level. It is also responsible for managing the Domain Name System (DNS). Briefly put, it is an entity that supervises the growth of the Internet.
Sensitive info from CZDS has been exposed
At the beginning of December, the organization found that compromised email credentials of some staff members were used to access different services, apart from email.
The intruders logged with administrative privileges into the Centralized Zone Data System (CZDS), which holds copies of the zone files and sensitive data associated with users’ online accounts.
The information accessed included names, postal and email addresses, fax and phone numbers, as well as usernames and passwords.
More out of precaution, ICANN deactivated the passwords, although only their cryptographic, salted hashes were stored on the system.
The breach does not impact directly on the regular user, but it does help attackers gather intelligence that could be used for compromising other targets.
As its name suggests, the CZDS contains zone files from participating top-level domains (TLDs). These contain details required for resolving domain names to IP addresses, including the name servers and their IPs.
ICANN has sent letters to all account holders, asking them to change their passwords and take the necessary measures to protect other accounts that can be accessed with the same set of credentials.
Other systems have also been accessed without authorization
Information from ICANN GAC Wiki (the governmental advisory committee) has also been accessed by the perpetrators, but in this case, the organization said in a disclosure post on Tuesday, “the members-only index page and one individual user's profile page was viewed.” Other non-public details have not been exposed.
GAC’s attribution is to offer advice to ICANN on public policy matters regarding the responsibilities for the Internet Domain Name System.
According to findings of the investigation started by ICANN, the targeted attacks began towards the end of November and the sender’s email address was spoofed to appear to belong to the organization’s domain.
With the stolen credentials, the intruders also managed to sign into the ICANN blog and the Whois service. No impact has been recorded on these systems.
It is believed that a set of security upgrades applied earlier this year mitigated some of the risks, as otherwise the perpetrators could have gained more extended access. With this incident, more security measures have been taken, the official announcement says.
Systems related to IANA (Internet Assigned Numbers Authority), an ICANN department responsible for managing the DNS root zone, have not been impacted by this attack.
