On Friday July 7, an unauthorized connection to one of our technical partners resulted in the modification of the name servers [NS] of 751 domain names which then pointed traffic to the impacted domains to a malicious site.

Our technical team was notified shortly thereafter and proceeded immediately to reversing the updates on impacted domains and investigating the incident.

Pending the completion of our investigation, we published an initial report on the incident to our news site.

Now that we have completed these investigations, we can update you with further details about what happened and respond to several of the pressing concerns facing you, our customers.

Before diving into the details, though, we need to contextualize the incident:

At present, Gandi manages more than 2.1 million domain names across 730 TLDs, spanning some 200+ registries. Accreditation with each of these registries represents a significant contractual and complex technical component of managing these domains.

As such, we need to have the ability to connect to the technical back end of each of these registries, or otherwise integrate with a technical partner who connects in turn to each of these registries. Currently, we are integrated to more than 150 platforms, most run by individual registries themselves, others through technical partners.

The incident which occurred on Friday occurred only in regards to one such technical partner, through whom we manage domain names in 34 TLDs, all of which are country-code, geographic TLDs.

Timeline of the events of July 7, 2017 in UTC (PDT is UTC-7)

11:57 : A registry informs us of suspicious modifications

: A registry informs us of suspicious modifications 11:58 : Gandi launches an internal investigation

: Gandi launches an internal investigation 11:59 : Our team identifies a suspicious connection to our technical partner’s web portal

: Our team identifies a suspicious connection to our technical partner’s web portal 12:10 : Our team changes the login credentials on our partner’s site, thereby blocking any further attack

: Our team changes the login credentials on our partner’s site, thereby blocking any further attack 12:30 : Gandi begins working with our technical partner to identify all unauthorized updates made through their web portal

: Gandi begins working with our technical partner to identify all unauthorized updates made through their web portal 12:53 : Gandi begins the process of undoing all unauthorized changes to name servers with each registry impacted

: Gandi begins the process of undoing all unauthorized changes to name servers with each registry impacted 13:36 : Our team completes the process of undoing all previously-identified unauthorized updates with each impacted registry

: Our team completes the process of undoing all previously-identified unauthorized updates with each impacted registry 13:50 : Our team begins working on reversing all changes identified in the meantime

: Our team begins working on reversing all changes identified in the meantime 14:00 : Our team begins a parallel investigation in order to further ensure the security of our entire infrastructure

: Our team begins a parallel investigation in order to further ensure the security of our entire infrastructure 14:29: We publish our first public report of the incident to http://status.gandi.net/

We publish our first public report of the incident to 15:00 : Each of the individual registries begins to carry out the requested modifications on their servers; this update takes slightly longer for the TLDs .es and .se

: Each of the individual registries begins to carry out the requested modifications on their servers; this update takes slightly longer for the TLDs .es and .se 15:32 : We update our communication with the latest available information

: We update our communication with the latest available information 16:00 : Our team contacts the relevant French authorities

: Our team contacts the relevant French authorities 16:15 : All registries have at this point completed all name server changes we requested

: All registries have at this point completed all name server changes we requested 17:00 : We are following several leads regarding the origin of the incident, but have not yet been able to draw conclusions with any certainty

: We are following several leads regarding the origin of the incident, but have not yet been able to draw conclusions with any certainty 17:50 : At this point we have confirmed with certainty that the unauthorized changes were made through the web interface of one of our technical partners

: At this point we have confirmed with certainty that the unauthorized changes were made through the web interface of one of our technical partners 18:00 : We launch a parallel investigation analyzing the malicious servers involved in order to better understand the impact of this incident

: We launch a parallel investigation analyzing the malicious servers involved in order to better understand the impact of this incident 20:41 : Our initial report on the incident is published in French .

: . 20:42 : Our team checks the Certificate Transparency logs for certificates issued on the impacted domains during the duration of the attack

: Our team checks the Certificate Transparency logs for certificates issued on the impacted domains during the duration of the attack 21:23 : Our initial report on the incident is published in English .

: . 21:56 : Our investigations confirm that the MX and SPF (TXT) records of each impacted domain were modified during the attack

: Our investigations confirm that the MX and SPF (TXT) records of each impacted domain were modified during the attack 23:02 : The French authorities confirm that they have received our report

: The French authorities confirm that they have received our report 23:30: Our technical team launches a full security audit to insure the integrity of our infrastructure

Some important points of which to be aware:

1. For how long were the affected domain name servers modified?

The first modification occurred at 8:04 UTC and the last was performed at 9:44 UTC. The last name server update was undone at 13:50 UTC.

Taking into account the delay in name server provisioning at the individual registries in question and the TTLs of the relevant DNS zones, the unauthorized changes were in place at the most for 8 to 11 hours.

By 16:15 UTC, all unauthorized updates we had reversed at each of the registries and we only needed to wait for propagation delay (up to three hours later) to be completely sure that the modifications had been successfully reversed.

2. What was the impact on the affected domain names?

The DNS servers (NS) were configured with A records for www.yourdomain.tld and yourdomain.tld. These records pointed towards malicious web servers.

Switch, the registry of .ch domains, summarized the details of their analysis of the attacks and the exploits used.

Globally speaking, for the duration of the attack, visitors to impacted domains were redirected to an Exploit Kit (EK) type infrastructure, which rendered https traffic impossible. This type of infrastructure is capable of compromising the web browsers and operating systems of visitors in different ways according to:

– The intention of the attacker utilizing the EK

– The geo-localization of the visitor and the existing vulnerabilities in their browser or operating system.

The MX records were also configured with valid SPF entries, but according to the analysis done by scrt.ch, the mail servers to which they pointed were not functional.

3. What about SSL certificates on the impacted domains?

We also performed a verification of the Certificate Transparency ( https://en.wikipedia.org/wiki/Certificate_Transparency ) logs, cross-checking for any SSL certificates issued during the attack on any of the impacted domains.

We identified 18 certificates issued on domains during the incident. After a manual verification on each of these 18 certificates, we were able to conclude that all of these were legitimate since the owners of the domains in question all possessed the private keys to each of the 18 certificates issued.

Many organizations provide free services for requesting the Certificate Transparency logs, including:

Google

Facebook (which also lets you receive notifications whenever a certificate is signed for your domain)

crt.sh (Note: using the syntax %.example.tld you can search all subdomains as well)

4. How was this attack even possible?

First of all, we should be clear that the attack did not involve any breach of our databases or back end nor did it involve a breach of our technical partner’s infrastructure. The attacker was able to make the changes by accessing the web portal of our technical partner using our login credentials, which they obtained surreptitiously.

These credentials were likewise not obtained by a breach of our systems and we strongly suspect they were obtained from an insecure connection to our technical partner’s web portal (the web platform in question allows access via http).

As a rule, we have always systematically implemented all available security measures at all registries and technical partners (such as TOTP, IP restriction, etc.). Unfortunately, these security measures were only recently added, in 2016, by the technical partner in question and had not been identified at the date of our most recent security audit.

5. What additional measures has Gandi undertaken since this incident occurred?

All login credentials for all 150 technical platforms which we use to connect to registries and technical partners are currently being reset.

We have also launched a security audit on our entire internal and external infrastructure.

We also, as a rule, take advantage of the maximum security level offered by each registry or technical partner we connect to but we are now also in the process of double-checking that no new features have been added that we may use to further secure these connections.

6. Why did Gandi delay in communicating these details?

Our principal concern was putting into place all necessary and appropriate security measures (as noted in the timeline above) and to immediately investigate the attack before the attacker was alerted to the fact that they had been detected. This unfortunately required a delay before we were able to publicly communicate regarding this incident, but this delay does not in any circumstance indicate that our team delayed in blocking the attacker or reversing the changes made.

We sincerely apologize that this incident occurred. Please be assured that our priority remains on the security of your data and that we will continue to protect your security and privacy in the face of ever-evolving threats.