The wave of domain hijacking attacks besetting the Internet over the past few months is worse than previously thought, according to a new report that says state-sponsored actors have continued to brazenly target key infrastructure despite growing awareness of the operation.
The report was published Wednesday by Ciscos Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafaxs only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of
i.root, one of the Internets foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.
Reverse DNS records show that in late March nsd.cafax.com resolved to a malicious IP address controlled by the attackers. NSD is often used to abbreviate name server demon, an open-source app for managing DNS servers. It looks unlikely that the attackers succeeded in actually compromising Cafax, although it wasn't possible to rule out the possibility.
"I've also seen attributions to this name," Liman told Ars, referring to nsd.cafax.com. "The strange thing is that that name doesn't exist. There is, and, as far as I can remember, has never been, such a name in the legitimate cafax.se domain." He said the techniques involved in the March attack are consistent with the Netnod hijacking. Asked how the March attack affected Cafax customers, Liman wrote: "I don't know. I was not in a position to observe things as they happened, so I don't know what the black hats did."
The hackers—whom Talos claims are sponsored by the government of an unnamed country—carry out sophisticated attacks that typically start by exploiting known vulnerabilities in targets networks (in one known case they used spear phishing emails). The attackers use this initial access to obtain credentials that allow them to alter the DNS settings of the targets.
Short for "domain name system," DNS is one of the Internets most fundamental services. It translates human-readable domain names into the IP addresses one computer needs to locate other computers over the global network. DNS hijacking works by falsifying the DNS records to cause a domain to point to an IP address controlled by a hacker rather than the domains rightful owner. The ultimate objective of the campaign reported by Talos is to use the hijacked domains to steal login credentials that give persistent access to networks and systems of interest.
To do that, the attackers first alter DNS settings for targeted DNS registrars, telecom companies, and ISPs—companies like Cafax and Netnod. The attackers then use their control of these services to attack primary targets that use the services. The primary targets include national security organizations, ministries of foreign affairs, and prominent energy organizations, almost all of which are in the Middle East and North Africa. In all, Cisco has identified 40 organizations in 13 countries that have had their domains hijacked since as early as January 2017.
Despite widespread attention since the beginning of the year, the hijackings show no signs of abating (which is the usual course of action once a state-sponsored hacking operation becomes well-known). Reverse lookups of 27 IP addresses Cisco identified as belonging to the hackers (some of which were previously published by security firm Crowdstrike) show that besides Cafax, domains for the following organizations have all been hijacked in the past six weeks:
mofa.gov.sy, belonging to Syrias Ministry of Foreign Affairs
syriatel.sy, belonging to Syrian mobile telecommunications provider Syriatel
owa.gov.cy, a Microsoft Outlook Web access portal for the government of Cyprus (also previously hijacked by the same attackers)
syriamoi.gov.sy, Syrias Ministry of Interior
Attacking the foundation
In Wednesdays report, Talos researchers Danny Adamitis, David Maynor, Warren Mercer Olney, and Paul Rascagneres wrote:
While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have in the Internet. That trust, and the stability of the DNS system as a whole, drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.
Talos is calling the campaign “Sea Turtle,” which it says is distinctly different and independent from the DNSpionage mass DNS hijacking campaign Talos reported as targeting Middle East organizations last November. Since the beginning of the year, most researchers and reporters believed Sea Turtle was a continuation of DNSpionage.
In an email, Talos' outreach director, Craig Williams, explained:
DNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, a distinct difference is their level of maturity and capability. In DNSpionage we observed some failings, i.e. one of their malware samples was leaving a debug log. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Overlapping [techniques, tactics and procedures] are rife due to the very closely related nature of the attacks. Without additional intelligence it would be a fair assumption to see these attacks as one of the same. Our visibility, on the other hand, makes it very clear these are two different groups.
Talos was able to determine this distinction due to additional insights which other organizations may not have had access to. We assess, as mentioned, with high confidence that we believe DNSpionage and Sea Turtle are not related directly.
One of the things that makes Sea Turtle more mature is its use of a constellation of exploits that collectively allow its operators to gain initial access or to move laterally within the network of a targeted organization. Cisco is aware of seven now-patched vulnerabilities Sea Turtle targets:
- CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin
- CVE-2014-6271: remote code execution vulnerability in the GNU bash system, specifically SMTP (this was part of the vulnerabilities related to Shellshock)
- CVE-2017-3881: remote code execution vulnerability by unauthenticated user with elevated privileges in Cisco switches
- CVE-2017-6736: remote code exploit vulnerability in Cisco 2811 Integrated Services Routers
- CVE-2017-12617: remote code execution vulnerability in Apache Web servers running Tomcat
- CVE-2018-0296: directory traversal vulnerability allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls
- CVE-2018-7600: the so-called Drupalgeddon2 vulnerability in the Drupal content management system that allows remote code execution
Talos researchers said Sea Turtle used spear phishing in a previously reported compromise of Packet Clearing House, a Northern California non-profit that manages significant amounts of the worlds DNS infrastructure. In that case, as KrebsOnSecurity previously reported, attackers used the email to phish credentials that PCHs registrar used to send the Extensible Provisioning Protocol messages that act as a back-end for the global DNS system.
Once Sea Turtle hackers gain initial access to a target, they work to move laterally through its network until they acquire the credentials required to modify DNS records for domains of interest. Once the domains resolve to Sea Turtle-controlled IP addresses, the actors perform man-in-the-middle attacks that capture credentials of legitimate users logging in.
Sea Turtle uses legitimate, browser-trusted TLS certificates for the hijacked domains to hide the attacks. The certificates are obtained by using attackers' control of the domain to purchase a valid TLS certificate from a certificate authority. (Most CAs require only that a buyer prove it has control of the domain by, for instance, displaying a CA-provided code at a specific URL.) With increased control of the domain over time, attackers often go Read More – Source