{"id":26826,"date":"2019-04-17T15:11:00","date_gmt":"2019-04-17T15:11:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/"},"modified":"2019-04-17T15:11:00","modified_gmt":"2019-04-17T15:11:00","slug":"cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/","title":{"rendered":"Cisco Talos details exceptionally dangerous DNS hijacking attack"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2019\/02\/man-in-boat-surrounded-by-sharks_risk_fear_decision_attack_threat_by-peshkova-getty-100786972-large.3x2.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Security experts at Cisco Talos have released a <a href=\"https:\/\/blog.talosintelligence.com\/2019\/04\/seaturtle.html\" rel=\"nofollow\">report detailing<\/a> what it calls the \u201cfirst known case of a domain name registry organization that was compromised for cyber espionage operations.\u201d<\/p>\n<p>Talos calls ongoing cyber threat campaign \u201cSea Turtle\u201d and said that state-sponsored attackers are abusing DNS to harvest credentials to gain access to sensitive networks and systems in a way that victims are unable to detect, which displays unique knowledge on how to manipulate DNS, Talos stated.<\/p>\n<aside class=\"fakesidebar\">\n<p><strong>More about DNS:<\/strong><\/p>\n<\/aside>\n<p>By obtaining control of victims\u2019 DNS, the attackers can change or falsify any data on the Internet, illicitly modify DNS name records to point users to actor-controlled servers; users visiting those sites would never know, Talos reported.&nbsp;<\/p>\n<p>DNS, routinely known as the Internet\u2019s phonebook, is part of the global internet infrastructure that translates between familiar names and the numbers computers need to access a website or send an email.<\/p>\n<h2>Threat to DNS could spread<\/h2>\n<p>At this point Talos says Sea Turtle isn&#8217;t compromising organizations in the U.S.<\/p>\n<p>\u201cWhile this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,\u201d Talos stated.&nbsp;&nbsp;<\/p>\n<aside class=\"nativo-promo nativo-promo-1 smartphone\" id><\/aside>\n<p>Talos reports that the ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. \u201cOur investigation revealed that approximately 40 different organizations across 13 different countries were compromised during this campaign,\u201d Talos stated.&nbsp; \u201cWe assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.\u201d<\/p>\n<aside id=\"fsb-2599\" class=\"fakesidebar fakesidebar-auto fakesidebar-sponsored\"><strong>[ <a href=\"https:\/\/pluralsight.pxf.io\/c\/321564\/424552\/7490?u=https%3A%2F%2Fwww.pluralsight.com%2Fpaths%2Fcertified-information-systems-security-professional-cisspr\" rel=\"nofollow\">Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial!<\/a> ]<\/strong><\/aside>\n<p>Talos says the attackers directing the Sea Turtle campaign show signs of being highly sophisticated and have continued their attacks despite public reports of their activities. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed suggesting the Sea Turtle actors are unusually brazen and may be difficult to deter going forward, Talos stated.<\/p>\n<aside class=\"nativo-promo nativo-promo-1 tablet desktop\" id><\/aside>\n<p>In January the Departmentn of Homeland Security (DHS) <a href=\"https:\/\/www.networkworld.com\/article\/3336201\/batten-down-the-dns-hatches-as-attackers-strike-feds.html\">issued an alert<\/a> about this activity, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization\u2019s domain names.<\/p>\n<p>At that time the DHS\u2019s&nbsp; <a href=\"https:\/\/cyber.dhs.gov\/ed\/19-01\/\" rel=\"nofollow\">Cybersecurity and Infrastructure Security Agency<\/a> said in its <a href=\"https:\/\/cyber.dhs.gov\/ed\/19-01\/\" rel=\"nofollow\">Emergency Directive<\/a> that it was tracking a series of incidents targeting DNS infrastructure. CISA wrote that it \u201cis aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.\u201d<\/p>\n<h2>DNS hijacking<\/h2>\n<p>CISA said that attackers have managed to intercept and redirect web and mail traffic and could target other networked services. The agency said the attacks start with compromising user credentials of an account that can make changes to DNS records.&nbsp; Then the attacker alters DNS records, like Address, Mail Exchanger, or Name Server records, replacing the legitimate address of the services with an address the attacker controls.<\/p>\n<p>To achieve their nefarious goals, Talos stated the Sea Turtle accomplices:<\/p>\n<aside class=\"nativo-promo nativo-promo-2 tablet desktop smartphone\" id><\/aside>\n<ul>\n<li>Use DNS hijacking through the use of actor-controlled name servers.<\/li>\n<li>Are aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage country-code top-level domains (ccTLD).<\/li>\n<\/ul>\n<ul>\n<li>Use Let\u2019s Encrypts, Comodo, Sectigo, and self-signed certificates in their man-in-the-middle (MitM) servers to gain the initial round of credentials.<\/li>\n<\/ul>\n<ul>\n<li>Steal victim organization\u2019s legitimate SSL certificate and use it on actor-controlled servers.<\/li>\n<\/ul>\n<p>Such actions also distinguish Sea Turtle from an earlier DNS exploit known as DNSpionage, which <a href=\"https:\/\/blog.talosintelligence.com\/2018\/11\/dnspionage-campaign-targets-middle-east.html\" rel=\"nofollow\">Talos \u200breported<\/a>\u200b on in November 2018.<\/p>\n<p>Talos noted \u201cwith high confidence\u201d that these operations are distinctly different and independent from the operations performed by <a href=\"https:\/\/krebsonsecurity.com\/tag\/dnspionage\/\" rel=\"nofollow\">DNSpionage.<\/a>&nbsp;<\/p>\n<p>In that report, Talos said a DNSpionage campaign utilized two fake, malicious websites containing job postings that were used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware supported HTTP and DNS communication with the attackers.<\/p>\n<p>In a separate DNSpionage campaign, the attackers used the same IP address to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let&#8217;s Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for <a href=\"https:\/\/www.networkworld.com\/article\/2303073\/lan-wan-what-is-transport-layer-security-protocol.html\">Transport Layer Security (TLS)<\/a> free of charge to the user, Talos said.<\/p>\n<p>The Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos said it believes the attackers have exploited multiple known common vulnerabilities and exposures (CVEs) to either gain initial access or to move laterally within an affected organization. Talos research further shows the following known exploits of Sea Turtle include:<\/p>\n<ul>\n<li>CVE-2009-1151\u200b: PHP code injection vulnerability affecting phpMyAdmin<\/li>\n<li>CVE-2014-6271\u200b: RCE affecting GNU bash system, specifically the SMTP (this was part of the \u200bShellshock\u200b CVEs)<\/li>\n<li>CVE-2017-3881\u200b: RCE by unauthenticated user with elevated privileges Cisco switches<\/li>\n<li>CVE-2017-6736\u200b: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811<\/li>\n<li>CVE-2017-12617\u200b: RCE affecting Apache web servers running Tomcat<\/li>\n<li>CVE-2018-0296\u200b: \u200bDirectory\u200b traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls<\/li>\n<li>CVE-2018-7600\u200b: RCE for Website built with Drupal, aka \u201cDrupalgeddon\u201d<\/li>\n<\/ul>\n<p>\u201cAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete,\u201d Talos stated. \u201cThe actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities.\u201d<\/p>\n<p>Talos says that&nbsp; the Sea Turtle campaign continues to be highly successful for several reasons. \u201cFirst, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests,\u201d Talos stated.&nbsp; \u201cThe threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains.\u201d<\/p>\n<p>Talos said the attackers also used previously undisclosed techniques such as certificate impersonation. \u201cThis technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations\u2019 SSL certificates associated with security appliances such as [Cisco&#8217;s Adaptive Security Appliance] to obtain VPN credentials, allowing the actors to gain access to the targeted network, and have long-term persistent&nbsp; access, Talos stated.&nbsp;<\/p>\n<h2>Cisco Talos DNS attack mitigation strategy<\/h2>\n<p>To protect against Sea Turtle, Cisco recommends:<\/p>\n<ul>\n<li>Use a registry lock service, which will require an out-of-band message before any changes can occur to an organization&#8217;s DNS record.<\/li>\n<li>If your registrar does not offer a registry-lock service, Talos recommends implementing multi-factor authentication, such as \u200bDUO\u200b, to access your organization&#8217;s DNS records.<\/li>\n<li>If you suspect you were targeted by this type of intrusion, Talos recommends instituting a network-wide password reset, preferably from a computer on a trusted network.<\/li>\n<li>Apply patches, especially on internet-facing machines. Network administrators can monitor passive DNS records on their domains to check for abnormalities.<\/li>\n<\/ul>\n<div class=\"end-note\">\n<div id class=\"blx blxParticleendnote blxM2005 blox4_html blxC23909\">Join the Network World communities on <a href=\"https:\/\/www.facebook.com\/NetworkWorld\/\" target=\"_blank\">Facebook<\/a> and <a href=\"https:\/\/www.linkedin.com\/company\/network-world\" target=\"_blank\">LinkedIn<\/a> to comment on topics that are top of mind.<\/div>\n<\/div>\n<p>READ MORE <a href=\"https:\/\/www.networkworld.com\/article\/3389747\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.html#tk.rss_security\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\nSecurity experts at Cisco Talos have released a report detailing what it calls the \u201cfirst known case of a domain name registry organization that was compromised for cyber espionage operations.\u201dTalos calls ongoing cyber threat campaign \u201cSea Turtle\u201d and said that state-sponsored attackers are abusing DNS to harvest credentials to gain access to sensitive networks and systems in a way that victims are unable to detect, which displays unique knowledge on how to manipulate DNS, Talos stated.<br \/>\nMore about DNS:<br \/>\n DNS in the cloud: Why and why not<br \/>\n DNS over HTTPS seeks to make internet use more private<br \/>\n How to protect your infrastructure from DNS cache poisoning<br \/>\n ICANN housecleaning revokes old DNS security key <\/p>\n<p>By obtaining control of victims\u2019 DNS, the attackers can change or falsify any data on the Internet, illicitly modify DNS name records to point users to actor-controlled servers; users visiting those sites would never know, Talos reported.\u00a0To read this article in full, please click here READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":26827,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[738],"tags":[307],"class_list":["post-26826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networkworld","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cisco Talos details exceptionally dangerous DNS hijacking attack 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cisco Talos details exceptionally dangerous DNS hijacking attack 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2019-04-17T15:11:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/04\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"700\" \/>\n\t<meta property=\"og:image:height\" content=\"467\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Cisco Talos details exceptionally dangerous DNS hijacking attack\",\"datePublished\":\"2019-04-17T15:11:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/\"},\"wordCount\":1234,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg\",\"keywords\":[\"Security\"],\"articleSection\":[\"Networkworld\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/\",\"name\":\"Cisco Talos details exceptionally dangerous DNS hijacking attack 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg\",\"datePublished\":\"2019-04-17T15:11:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg\",\"width\":700,\"height\":467},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cisco Talos details exceptionally dangerous DNS hijacking attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cisco Talos details exceptionally dangerous DNS hijacking attack 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/","og_locale":"en_US","og_type":"article","og_title":"Cisco Talos details exceptionally dangerous DNS hijacking attack 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2019-04-17T15:11:00+00:00","og_image":[{"width":700,"height":467,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/04\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Cisco Talos details exceptionally dangerous DNS hijacking attack","datePublished":"2019-04-17T15:11:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/"},"wordCount":1234,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/04\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg","keywords":["Security"],"articleSection":["Networkworld"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/","url":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/","name":"Cisco Talos details exceptionally dangerous DNS hijacking attack 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/04\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg","datePublished":"2019-04-17T15:11:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/04\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/04\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack.jpg","width":700,"height":467},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cisco-talos-details-exceptionally-dangerous-dns-hijacking-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.threatshub.org\/blog\/tag\/security\/"},{"@type":"ListItem","position":3,"name":"Cisco Talos details exceptionally dangerous DNS hijacking attack"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/26826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=26826"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/26826\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/26827"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=26826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=26826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=26826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}