Researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres said in a detailed blog post that the campaign, which they had christened Sea Turtle, had kicked off probably in January 2017 and was continuing.
They said, by their count, a total of 40 organisations in 13 countries had been compromised by what they claimed was an advanced state-sponsored actor that appeared to be looking to gain persistent access to sensitive networks and systems.
"The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives," the five researchers said. "DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers."
|
|
Among those who had been compromised, the Talos researchers said they had been able to identify two separate groups. One, the primary victims, included national security bodies, ministries of foreign affairs and energy organisations. These had been targeted through third-parties.
The secondary category of victims included a number of DNS registrars, telecommunications companies and Internet service providers.
Adamitis, Maynor, Mercer, Olney and Rascagneres wrote that the attackers behind Sea Turtle appeared to be extremely competent and brazen in the way they went about things.
"The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker's sophistication," they said.
"Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed."
The following exploits had been used by Sea Turtle:
CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin;
CVE-2014-6271: RCE affecting GNU bash system, specifically the SMTP (this was part of the Shellshock CVEs);
CVE-2017-3881: RCE by unauthenticated user with elevated privileges Cisco switches;
CVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811;
CVE-2017-12617: RCE affecting Apache web servers running Tomcat;
CVE-2018-0296: Directory traversal allowing unauthorised access to Cisco Adaptive Security Appliances (ASAs) and firewalls; and
CVE-2018-7600: RCE for Website built with Drupal, aka "Drupalgeddon".
The five researchers said they believed the campaign had been so successful for a number of reasons.
"First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains," they said.
"The threat actors also used an interesting technique called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organisations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network."
They said the threat actors were able to maintain long-term persistent access to many of these networks by using compromised credentials.
