After several months of activity, the actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down, according to a blog post on Cisco’s Talos Intelligence blog post this week. And one of their targets appears to have been the Greek ccTLD .gr.
The Sea Turtle hijacking campaign appears to have recently regrouped
after Cisco Talos in April 2019 published “their initial findings and coverage
and are redoubling their efforts with new infrastructure. While many actors
will slow down once they are discovered, this group appears to be unusually
brazen, and will be unlikely to be deterred going forward.”
Cisco Talos also “identified a new wave of victims,
including a country code top-level domain (ccTLD) registry, which manages the
DNS records for every domain uses that particular country code, that access was
used to then compromise additional government entities. Unfortunately, unless
there are significant changes made to better secure DNS, these sorts of attacks
are going to remain prevalent.”
According to the Talos blog, “the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), the ccTLD for Greece, acknowledged on its public website [see here in Greek only] that its network had been compromised on April 19, 2019. Based on Cisco telemetry, we determined that the actors behind the Sea Turtle campaign had access to the ICS-Forth network.”
“Cisco telemetry confirmed that the actors behind Sea Turtle
maintained access to the ICS-Forth network from an operational command and
control (C2) node. Our telemetry indicates that the actors maintained access in
the ICS-Forth network through at least April 24, five days after the statement
was publicly released. Upon analysis of this operational C2 node, we determined
that it was also used to access an organization in Syria that was previously
redirected using the actor-controlled name server ns1[.]intersecdns[.]com. This
indicates that the same threat actors were behind both operations.
“We also saw evidence that the threat actors researched the
open-source tool PHP-Proxy. Notably, this particular C2 node searched for both
blog.talosintelligence.com and ncsc.gov.uk, presumably to view Talos’ previous
reports on DNS hijacking and this DNS hijacking advisory from the United
Kingdom’s National Cyber Security Centre.”
The Talos Intelligence blog also notes they they now have “moderate
confidence that the threat actors behind Sea Turtle have been using another DNS
hijacking technique. This new technique has been used very sparingly, and thus
far have only identified two entities that were targeted in 2018, though we
believe there are likely more.
“This new technique once again involved modifying the target
domain’s name server records to point legitimate users to the actor-controlled
server. In this case, the actor-controlled name server and the hijacked
hostnames would both resolve to the same IP address for a short period of time,
typically less than 24 hours. In both observed cases, one of the hijacked
hostnames would reference an email service and the threat actors would
presumably harvest user credentials. One aspect of this technique that makes it
extremely difficult to track is that the actor-controlled name servers were not
used across multiple targets — meaning that every entity hijacked with this
technique had its own dedicated name server hostname and its own dedicated IP
address. Whereas previously reported name server domains such as
ns1[.]intersecdns[.]com were used to target multiple organizations.
“In one case, a private organization primarily used a
third-party service as their authoritative name server. Then, for a three-hour
window in January 2018, their name server records were changed to a name server
hostname that mimicked a slightly different version of the organization’s name.
During that three-hour window, the actor-controlled IP address hosted three
hostnames, the two actor-controlled name servers and the webmail hostname. This
would allow the threat actors to perform a man-in-the-middle (MitM) attack, as
outlined in our previous post, and harvest credentials. This technique was also
observed against a government organizations in the Middle East and North
African region.”
For the technically minded, to read the Cisco Talos Intelligence blog post in full, go to: https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html
This latest Domain News has been posted from here: Source Link