Security experts are warning of a new state-sponsored DNS hijacking campaign affecting at least 40 organizations across 13 countries.
Cisco Talos revealed in a blog post yesterday that the “Sea Turtle” campaign began back in January 2017 and has been active until the first quarter of this year, targeting mainly public and private sector organizations in the Middle East and North Africa.
Attackers sought first to gain DNS credentials from target organizations, either by exploiting known vulnerabilities or sending spear-phishing emails. They then typically used these log-ins to target the firm’s registrar, accessing their DNS records and modifying them to point users to a malicious server under the hackers’ control.
The group then set-up a classic man-in-the-middle (MiTM) operation, impersonating legitimate services to harvest user credentials.
“Once these credentials were captured, the user would then be passed to the legitimate service. To evade detection, the actors performed ‘certificate impersonation,’ a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization,” explained Cisco.
“This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected "SSL padlock" in the URL bar.”
With access to the target’s network, the attackers then stole the organization’s SSL certificate, enabling them to perform more MiTM attacks to harvest other credentials, expanding their access. Stolen certs were used for just a day to maintain good OpSec.
Primary targets were military organizations, national security agencies, foreign affairs ministries and energy companies in Libya, Egypt, UAE, Cyprus, Lebanon, Iraq, Jordan, Turkey, Armenia, Syria and Albania.
Secondary targets, infiltrated to gain access to the former, were mainly based in the US and Sweden and included DNS infrastructure firms such as registrars, ISPs, telcos, and one registry. Swedish DNS firm Netnod was one of these.
“Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD .am,” Cisco continued. “Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.”
The firm warned that the group is highly capable and has continued in its operations, undeterred by media reports on some of its activity.
“Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains,” it concluded.
“The threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network.”
Cath Goulding, head of cybersecurity at .uk registry Nominet, claimed its infrastructure was secure thanks to it taking a layered approach.
“While two-factor authentication helps verify authenticity, Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA. We are continually monitoring the situation, and would reassure the majority of consumers trying to access .UK domain names,” she said.
“For businesses that have their own DNS provisions, we would recommend checking your DNS settings manually to ensure they are still pointing to legitimate servers. The issue with this sort of attack is that it’s incredibly difficult to spot. We would recommend implementing stringent access protocols for your DNS settings, such as multi-factor authentication, as this additional layer of security makes it much harder for hackers to gain access to your systems.”
The group is not connected to the DNSpionage attacks revealed in November last year, according to Cisco.