Just a few months in the past, researchers at Cisco’s Talos cybersecurity unit sounded the alarm after discovering a beforehand undiscovered hacker group concentrating on a core a part of the web’s infrastructure.
Their alarm was heard: FireEye shortly got here out with new intelligence warning of a “international” area title hijacking marketing campaign concentrating on web sites of predominantly Arab governments. The marketing campaign, dubbed “DNSpionage,” rerouted customers from a professional internet tackle to a malicious server to steal passwords. Homeland Safety warned the U.S. authorities had been focused, and ICANN, the non-profit charged with protecting the web’s tackle guide, stated the area title system (DNS) was underneath an “ongoing and vital” assault and urged area house owners to take motion.
Now, Talos researchers say they’ve discovered one other extremely superior hacker group, doubtless backed by a nation-state, which they are saying has focused 40 authorities and intelligence companies, telecom companies and web giants in 13 nations for greater than two years.
“It is a new group that’s working in a comparatively distinctive approach that we’ve got not seen earlier than.” Craig Williams, Cisco Talos
“We assess with excessive confidence that these operations are distinctly totally different and impartial from the operations carried out by DNSpionage,” stated the Talos report out Wednesday, seen by TechCrunch.
The group, which Talos calls “Sea Turtle” — an inside codename that ended up sticking — equally targets corporations by hijacking their DNS. That enables the hackers to level a goal’s area title to a malicious server of their selecting. This intelligent site-spoofing method exploits long-known flaws in DNS that can be utilized to trick unsuspecting company victims into turning over their credentials on pretend login pages, which the hackers can use for additional compromise.
“It is a new group that’s working in a comparatively distinctive approach that we’ve got not seen earlier than, utilizing new techniques, strategies, and procedures,” Craig Williams, director, outreach at Cisco Talos, instructed TechCrunch.
The hackers first compromise an supposed goal utilizing spearphishing to get a foothold on the community, then use recognized exploits to focus on servers and routers to maneuver laterally and procure and exfiltrate network-specific passwords. The hackers then use these credentials to focus on the group’s DNS registrar by updating its data in order that the area title factors away from the IP tackle of the goal’s server to a server managed by the hackers.
As soon as the goal’s area is pointing to the malicious server, the hackers can run a man-in-the-middle operation to impersonate login pages and scrape the usernames and passwords of the employees as a approach of getting deeper entry into the community. The hackers additionally used their very own HTTPS certificates for the goal’s area from one other supplier to make the malicious server seem like the true factor.
With the credentials for higher community entry in hand, the hackers intention to acquire the goal’s SSL certificates used throughout the company community, granting higher visibility into the group’s operations. The attackers additionally stole the SSL certificates utilized in safety home equipment, like digital personal networks (VPN), which have been used to steal credentials to achieve entry to the group’s community from exterior its partitions.
Utilizing this similar method, Talos stated that the hacker group compromised Netnod, a DNS supplier in Sweden and one of many 13 root servers that powers the worldwide DNS infrastructure. In February, Netnod confirmed its infrastructure was hijacked. The profitable assault allowed the hackers to steal the passwords of directors who handle Saudi Arabia’s top-level area —
.sa — suggesting different Saudi-based corporations might be within the hacker group’s crosshairs.
Williams stated Talos can “conclusively” hyperlink the Sea Turtle hackers to the Netnod assault.
In one other case, the hackers gained entry to the registrar that manages Armenia’s top-level domains, permitting the group to doubtlessly goal any
.am area title.
Talos wouldn’t title the targets of the assaults nor title the registrars in danger, citing the danger of additional or copycat assaults — and the researchers wouldn’t title the state doubtless behind the group, as a substitute deferring to the authorities to attribute. However the researchers stated Armenia, together with Egypt, Turkey, Swwden, Jordan, and the United Arab Emirates have been among the many nations the place it discovered victims.
Given the eventual targets included web and telecom infrastructure corporations, international ministries, and intelligence companies within the Center East and Africa, Williams stated the group’s major motivations are to conduct espionage.
Sea Turtle are stated to be “extremely succesful,” stated the researchers’ findings, and the hackers are capable of keep long-term entry by utilizing the stolen credentials.
The researchers urged corporations to start utilizing DNSSEC, a cryptographically safer area title system that’s far more durable to spoof, and using two-factor on a corporation’s DNS data.
“Whereas this incident is restricted to concentrating on primarily nationwide safety organizations within the Center East and North Africa, and we don’t wish to overstate the implications of this particular marketing campaign, we’re involved that the success of this operation will result in actors extra broadly attacking the worldwide DNS system,” the researchers stated.