Security Experts:

State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks

With growing concern over DNS manipulation attacks, details on a new elite state-sponsored DNS hijacking campaign have been released. Called operation Sea Turtle, researchers believe that at least 40 different organizations across 13 countries have been compromised.

Researchers at Cisco Talos discovered the ongoing campaign targeting both public and private entities, and including national security agencies, located primarily in the Middle East and North Africa. While confident that the attackers are state-sponsored, the researchers do not attribute the campaign to any specific state. They do, however, believe that this campaign is separate from -- and more severe than -- the DNSpionage operations it described in November 2018.

Talos is not alone in detecting and monitoring DNS attacks. FireEye reported on "a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America." FireEye said the actors concerned are "based in Iran and that the activity aligns with Iranian government interests."

Talos does not mention the FireEye research, with the implication that a separate state-sponsored group is behind the Sea Turtle Campaign.

In a statement emailed to SecurityWeek, FireEye commented, "we anticipate that more actors will adopt this technique in the near future. Additionally, though a great deal of the [activity] described by TALOS focuses on the Middle East and North Africa, there is no reason to assume DNS manipulation will remain limited to any region or vertical." This is also a Talos concern: "we are concerned that the success of this [Sea Turtle] operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology... and the stability of the DNS system as a whole drives the global economy."

Talos is calling for the establishment of a global norm that will keep the DNS system off-limits to state actors.

Sea Turtle's DNS hijacking occurs when the attackers modify DNS name records to point to their own controlled servers. Victims are diverted to the attackers, their credentials stolen, and then sent on to their true destination. The only indication of anything wrong would be a tiny delay before the destination is achieved.

Two groups of victims have been detected: the primary targets including national security organizations, ministries of foreign affairs, and prominent energy organizations; and a secondary group comprising numerous DNS registrars, telecommunication companies, and ISPs. Compromising the secondary group facilitated DNS hijacking against the primary targets.

The DNS hijacking is, however, just the means to the end: the invisible theft of credentials that will provide access to networks and systems of interest. This involves three primary steps: establish a means to control the DNS records of the target, modify the DNS records to point to the attackers' server; capture the victims' legitimate credentials and send the victim and credentials on to the real target destination.

Gaining access to the DNS records is achieved by spear-phishing or exploiting known vulnerabilities -- including CVE-2009-1151 (PHP code injection), CVE-2017-12617 (RCE affecting Apache Tomcat), and CVE-2018-7600  (Drupalgeddon). Having gained access, the attackers modified the NS records for the targeted organization. This would redirect any user from anywhere in the world trying to access the target. The attacker-controlled server would respond with a falsified 'A' record providing the IP of the malicious MitM server rather than the IP of the target server.

The MitM server would use a legitimate certificate for the target IP, but obtained from an alternative source -- for example, Let's Encrypt (which provides free certificates). This would maintain the SSL padlock in the user's browser, and ensure the attackers could harvest the credentials. "When the victim entered their password into the attacker's spoofed webpage," notes Talos, "the actor would capture these credentials for future use. The only indication a victim received was a brief lag between when the user entered their information and when they obtained access to the service."

Many users will see 'HTTPS' and assume that everything is secure. There is a common perception that SSL provides security beyond just encrypting messages between A and B. "When threat actors (like those in this attack) are able to compromise the integrity of a security mechanism such as an X.509 certificate," Jason Davison, an advanced threat research analyst at Webroot, told SecurityWeek, "they are leveraging the trust a victim places when seeing the 'SSL padlock' displayed in the URL bar. This gives the MitM attack more authenticity to an unsuspecting victim."

Talos describes the attackers as brazen and persistent. If discovered, they do not simply give up and go away. On 5 February 2019, the Sweden-based registry NetNod acknowledged it had been compromised. In its public statement it said that it was not the ultimate target -- the compromise was designed to steal login details for internet services outside of Sweden. This, says Talos, allowed the attackers to harvest the credentials of administrators who manage domains with the TLD of Saudi Arabia.

In one of the more recent attacks in March 2019, the Sea Turtle attackers targeted the Swedish consulting firm, CAFAX. "We assess with high confidence," writes Talos, "that this organization was targeted in an attempt to re-establish access to the NetNod network, which was previously compromised by this threat actor."

The difficulty for defenders is that once the DNS system has been compromised, an attack is difficult if not impossible to detect. IPS and IDS systems, for example, are simply not designed to monitor and log DNS requests. Talos recommends that organizations use a registry lock service. This requires that out-of-band confirmation is provided before any changes can be made to an organization's DNS record. If registry lock is not available, then multi-factor authentication should be employed to protect access to the DNS records. Where a company believes it may have already been targeted, then a network-wide password reset is in order.

Nominet, the registry for UK domain names, told SecurityWeek that it uses two-factor authentication across its own systems, and domain lock for its registrars. "For businesses that have their own DNS provisions, we would recommend checking your DNS settings manually to ensure they are still pointing to legitimate servers. The issue with this sort of attack is that it's incredibly difficult to spot. We would recommend implementing stringent access protocols for your DNS settings, such as multi-factor authentication, as this additional layer of security makes it much harder for hackers to gain access to your systems."

Related: DHS Warns Federal Agencies of DNS Hijacking Attacks 

Related: 'MaMi' Mac Malware Hijacks DNS Settings 

Related: BGP Hijacking Attacks Target US Payment Processors 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.