Security Market Segment LS
Thursday, 18 April 2019 08:35

State-sponsored actor targets Mideast, North Africa using DNS hijacking

State-sponsored actor targets Mideast, North Africa using DNS hijacking Image by Андрей Корман from Pixabay

A new cyber threat campaign that is claimed to be targeting public and private entities, including national security organisations in the Middle East and North Africa, has been discovered by Cisco's Talos Intelligence Group.

Researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres said in a detailed blog post that the campaign, which they had christened Sea Turtle, had kicked off probably in January 2017 and was continuing.

They said, by their count, a total of 40 organisations in 13 countries had been compromised by what they claimed was an advanced state-sponsored actor that appeared to be looking to gain persistent access to sensitive networks and systems.

"The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives," the five researchers said. "DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers."

They said the US Department of Homeland Security had issued an alert on 24 January 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organisation's domain names.

Among those who had been compromised, the Talos researchers said they had been able to identify two separate groups. One, the primary victims, included national security bodies, ministries of foreign affairs and energy organisations. These had been targeted through third-parties.

sea turtle

The secondary category of victims included a number of DNS registrars, telecommunications companies and Internet service providers.

Adamitis, Maynor, Mercer, Olney and Rascagneres wrote that the attackers behind Sea Turtle appeared to be extremely competent and brazen in the way they went about things.

"The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker's sophistication," they said.

"Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed."

The following exploits had been used by Sea Turtle:

CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin;

CVE-2014-6271: RCE affecting GNU bash system, specifically the SMTP (this was part of the Shellshock CVEs);

CVE-2017-3881: RCE by unauthenticated user with elevated privileges Cisco switches;

CVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811;

CVE-2017-12617: RCE affecting Apache web servers running Tomcat;

CVE-2018-0296: Directory traversal allowing unauthorised access to Cisco Adaptive Security Appliances (ASAs) and firewalls; and

CVE-2018-7600: RCE for Website built with Drupal, aka "Drupalgeddon".

The five researchers said they believed the campaign had been so successful for a number of reasons.

"First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains," they said.

"The threat actors also used an interesting technique called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organisations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network."

They said the threat actors were able to maintain long-term persistent access to many of these networks by using compromised credentials.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments