DNS Hijacking Abuses Trust In Core Internet Service

DNS Hijacking Abuses Trust In Core Internet Service (Apr 17, 2019)

A new DNS hijacking campaign, dubbed “Sea Turtle,” has been discovered targeting private and public organisations primarily located in the Middle East and North Africa, according to researchers from Cisco Talos. The threat actors behind this campaign initiated the attacks by either exploiting registered vulnerabilities (CVE-2009-1151, CVE-2014-6271, CVE-2017-3881, CVE-2017-6736, CVE-2017-12617, CVE-2018-0296, CVE-2018-7600) or spear phishing emails. Once obtaining initial access, the threat actor would modify the NS records for the target organisations to direct users to a malicious DNS server that provided actor-controlled responses for all DNS queries. They then established a Man-in-the-Middle framework to impersonate legitimate services to steal credentials, and once the threat actor obtained the credentials, they directed the user to the legitimate service to evade detection. The affected industries include energy organisations, information technology firms, intelligence agencies, internet service providers, military organisations, ministries of foreign affairs, registrars, and telecommunications organisations.

Recommendation: Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company because sometimes proof-of-concept code for a vulnerability is published in open sources. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.