A newly-discovered state-sponsored campaign is targeting national security organizations across the Middle East and North Africa (MENA) – and elsewhere – with domain name system (DNS) hijacking attacks, used to scoop up credentials.
The campaign, dubbed “Sea Turtle” by the Cisco Talos researchers who discovered it, began as early as January 2017 and has continued through the first quarter of 2019.
At least 40 different organizations across 13 various countries have been compromised so far by the campaign; in addition to the MENA victims, secondary targets, including telecom firms, ISPs and DNS registrars are being targeted in the U.S. and Sweden.
Researchers in a Wednesday analysis said that the attackers behind the campaign have the capabilities and sophistication to grow: “While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,” they said.
The Campaign
The campaigns have been utilizing DNS hijacking attacks, a type of attack where an individual redirects traffic meant to go to a legitimate website to a malicious server — meaning that they could easily harvest website credentials and other sensitive data that users are sharing with web forms and the like.
Since 2017, more than 40 firms have been compromised by the Sea Turtle attacks – including national security organizations, ministries of foreign affairs and prominent energy organizations; and telecom firms, internet service providers (ISPs) and DNS registrars. That includes companies like consulting firm Cafax and DNS registry NetNod, which have both released public statements on the attacks.
In addition to these types of targets, researchers said the campaign represents the first known case of a domain name registry organization that was compromised for cyber-espionage operations. A domain name registry manages different parts of the domain registry, such as country code top-level domains and generic top-level domains. Compromising a domain name registry allows attackers to access the DNS logs, and highlights the sophistication of the attackers, researchers said.
The campaign has been “highly successful,” researchers said, in part because the attacker employed DNS hijacking and redirection attacks to access targeted networks, as traditional security products aren’t designed to monitor DNS requests, said researchers: “The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought,” researchers said.
The Attacks
The attackers gained initial access either through spear-phishing emails or through exploiting known flaws.
The phishing emails were aimed at registrants and used to gain their credentials. From there, the bad actors could access an organization’s DNS records with the registrant’s credentials.
or by exploiting known vulnerabilities – including a PHP code injection flaw in phpMyAdmin (CVE-2009-1151), a remote code exploit for Cisco integrated service router 2811 (CVE-2017-6736) and the infamous “Drupalgeddon” remote code execution Drupal glitch (CVE-2018-7600).
A list of impacted CVEs used by the attacker is below – but researchers say that they believe the list is incomplete and “the actor in question can leverage known vulnerabilities as they encounter a new threat surface.”
Once they gained access to a network, an attacker would access the DNS registry and modify the name system records for targeted firms, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries – allowing them to trick users to give them their credentials.
“The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days,” researchers said. “This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world.”
The threat actors also used an array of techniques to evade detection, researchers said.
For instance, once users put their credentials into impersonated services, they would then be passed to the legitimate service, and couldn’t tell that anything was wrong.
Attackers also used an interesting technique called certificate impersonation, where attackers stole a certificate authority-signed X.509 certificate from another provider for the same domain, imitating the one already used by the targeted organization – making the web browser seem more legitimate.
Other Campaigns
Researchers said that they assess with high confidence that the hijacking attacks are being launched by an advanced, state-sponsored actor looking to access sensitive networks and systems – but stayed mum on who exactly that actor was.
“This is the first time Cisco Talos is documenting operations conducted by this threat actor,” Craig Williams, director of Talos Outreach at Cisco, told Threatpost. “While we assess with high confidence that this activity was carried out by an advanced, state-sponsored actor, we defer to law enforcement officials on establishing attribution.”
DNS-based attacks are an increasing worry for governments and enterprises alike.
In January, the Department of Homeland Security is ordering all federal agencies to urgently audit DNS security for their domains in the next 10 business days.
Also in January, a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa were linked to Iran. The attacks, which were related to a campaign dubbed “DNSpionage” by Cisco Talos researchers, had a high degree of success harvesting targets’ credentials, according to the firm.
However, Talos researchers said they assess with high confidence that the DNSpionage operations are “distinctly different and independent” from the Sea Turtle campaign.
“The report assesses with high confidence that Sea Turtle operations are distinctly different and independent from DNSpionage operations,” Williams told Threatpost. “DNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, both campaigns’ level of maturity and capability are distinctly different. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Due to the closely related nature of the attacks, overlapping TTPs [tactics, techniques and procedures] are common, but our visibility makes it very clear these are two different groups.”
To protect against these DNS hijacking attacks, Williams said that companies can implement a registry lock service, multi-factor authentication (to access DNS records), and of course staying up to date on patches, especially on internet-facing machines.
However, “once these credentials are stolen, it is virtually impossible to completely shut down a campaign until the credentials are regained, changed and locked,” he told Threatpost.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.