Security Market Segment LS
Thursday, 18 April 2019 08:35

State-sponsored actor targets Mideast, North Africa using DNS hijacking

By
State-sponsored actor targets Mideast, North Africa using DNS hijacking Image by Андрей Корман from Pixabay

A new cyber threat campaign that is claimed to be targeting public and private entities, including national security organisations in the Middle East and North Africa, has been discovered by Cisco's Talos Intelligence Group.

Researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres said in a detailed blog post that the campaign, which they had christened Sea Turtle, had kicked off probably in January 2017 and was continuing.

They said, by their count, a total of 40 organisations in 13 countries had been compromised by what they claimed was an advanced state-sponsored actor that appeared to be looking to gain persistent access to sensitive networks and systems.

"The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives," the five researchers said. "DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers."

They said the US Department of Homeland Security had issued an alert on 24 January 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organisation's domain names.

Among those who had been compromised, the Talos researchers said they had been able to identify two separate groups. One, the primary victims, included national security bodies, ministries of foreign affairs and energy organisations. These had been targeted through third-parties.

sea turtle

The secondary category of victims included a number of DNS registrars, telecommunications companies and Internet service providers.

Adamitis, Maynor, Mercer, Olney and Rascagneres wrote that the attackers behind Sea Turtle appeared to be extremely competent and brazen in the way they went about things.

"The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker's sophistication," they said.

"Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed."

The following exploits had been used by Sea Turtle:

CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin;

CVE-2014-6271: RCE affecting GNU bash system, specifically the SMTP (this was part of the Shellshock CVEs);

CVE-2017-3881: RCE by unauthenticated user with elevated privileges Cisco switches;

CVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811;

CVE-2017-12617: RCE affecting Apache web servers running Tomcat;

CVE-2018-0296: Directory traversal allowing unauthorised access to Cisco Adaptive Security Appliances (ASAs) and firewalls; and

CVE-2018-7600: RCE for Website built with Drupal, aka "Drupalgeddon".

The five researchers said they believed the campaign had been so successful for a number of reasons.

"First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains," they said.

"The threat actors also used an interesting technique called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organisations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network."

They said the threat actors were able to maintain long-term persistent access to many of these networks by using compromised credentials.

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments