It’s rare for the top-level domains of countries to fall into the hands of individuals, but in some cases it is the only way to stop cybercriminals from exploiting expired domains.
On January 15, Fredrik Almroth, founder and head of engineering at Detectify, described how a general scan on nameserver records used by top-level domains (TLDs) worldwide resulted in the discovery of a country code top-level domain (ccTLD) in immediate danger of becoming vulnerable to attack.
Almroth’s scan, performed in December 2020, showed that ‘scpt-network.com’ linked to the nameservers managing the ccTLD used by the Democratic Republic of Congo (.cd) – home to approximately 87 million people – was displaying the Extensible Provisioning Protocol (EPP) status code ‘redemptionPeriod’.
In a technical blog post, the security researcher described how this was concerning, prompting him to monitor the domain. A week later, he received an alert that the domain was ‘pendingDelete’ – a status usually reserved for when an owner forgets to, or elects not to, renew their domain name.
Disaster averted
The moment the domain expired, threat actors could snap it up and, therefore, would also seize the nameserver capabilities of .cd.
Now able to intercept traffic running through the ccTLD, attackers could perform DNS hijacking, surveillance, Manipulator-in-the-Middle (MitM) attacks, and data theft.
Apex .cd domains, too, would be at risk, as attackers controlling the TLD could potentially take them over, perform distributed denial-of-service (DDoS) attacks, or infiltrate local networks.
“As an end-user, you would not be able to trust any content seen on any .cd website,” Almroth told The Daily Swig.
“If used maliciously a threat actor could leverage the position to issue new SSL/TLS certificates for most websites at will. The same goes for file downloads and the like which could be manipulated while in transit.”
To prevent this and to keep the domain “from falling into the wrong hands”, Almroth purchased the domain on December 30. As a result, temporarily, the researcher obtained control of approximately 50% of all DNS traffic for the top-level domain.
Returned to rightful owner
On January 7, the researcher reached out to contacts listed for the .cd domain with the Internet Assigned Numbers Authority (IANA) in order to transfer ownership.
While no follow-up confirmation was received, the issue was tackled within 14 hours and both nameserver delegations and traffic has now been redirected.
Almroth still owns the domain name for scpt-network.com. The incident was also reported to HackerOne’s Internet Bug Bounty on January 8, but as of the time of the writing, the researcher has not been in further contact with the team.
Almroth told us that he did uncover interesting data regarding the DNS queries, but this will “require further analysis before doing a statement of any additional findings”.
A spokesperson for ICANN told us that the agency has “a very limited role” in regard to ccTLDs as they “operate within their respective countries and [are] accountable to their local communities”.
