Security researchers discovered a DNS hijacking campaign targeting national security organizations and other entities over the past two years.
The campaign, called Sea Turtle by researchers at Cisco Talos, was described as state-sponsored domain name system hijacking attacks against targets “primarily in the Middle East and North Africa,” but the researchers fear the attacks may be the start of a new trend.
“We are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy,” Talos researchers wrote in a blog post. “Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.”
According to Cisco Talos researchers, the Sea Turtle DNS hijacking campaign began in January 2017 and was still active as of early this year. The attacks compromised approximately 40 organizations across 13 countries. The threat actors first targeted DNS registrars, telecommunication companies and internet service providers before launching the main DNS hijacking attacks against “national security organizations, ministries of foreign affairs and prominent energy organizations.”
The threat actors gathered credentials to DNS systems by using man-in-the-middle attacks and a technique researchers called “certificate impersonation,” where threat actors obtained valid X.509 certificate from other certificate authorities for the same domain used by the targeted organization. “For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let’s Encrypt or Comodo,” the blog post said.
Cisco Talos researchers said once threat actors gained access to a target organization’s network, they stole the valid SSL certificates used for security appliances and applications such as VPNs in order to collect more credentials and expand their access to the target environment. Craig Williams, director of outreach for Cisco Talos, wrote via email once those credentials were stolen, “it is virtually impossible to completely shut down a campaign until the credentials are regained, changed and locked.
“In order to best protect against this type of attack, Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization’s DNS record. If your registrar does not offer a registry lock service, we recommend implementing multifactor authentication, such as Duo, to access your organization’s DNS records,” Williams said. “If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their own domains, to check for abnormalities.”
In November 2018, Talos reported on a similar DNS hijacking campaign in the Middle East. In January, FireEye expanded on that research, noting that the attacks targeted government entities and might have been backed by Iran. Those reports led the Department of Homeland Security to order federal agencies to harden systems against potential DNS hijacking attacks.
Talos researchers determined this DNS hijacking campaign was independent from that past campaign, but Williams said, “This is likely a trend that we’ll continue to see evolve and used in more places around the world.”
John Hultquist, director of intelligence at FireEye, agreed and wrote via email, “We do believe this is a trend and we anticipate that more actors will take advantage of this tactic.”
Hultquist recommended enterprises use registrar lock, audit registrar accounts, implement DNS Security Extensions and DNS-based Authentication of Named Entities, and implement continuous monitoring to mitigate against attacks.