InvestorsHub Logo
Boards
News
Market Data
Markets
Discover
Discover
Subscribe Login/Register
S&P 500
5,222.68
(
0.16%
)
US TECH 100
17,650.00
(
0.05%
)
Dow Jones
39,512.84
(
0.32%
)
Brent Oil
82.59
(
0.00%
)
Bitcoin
60,912.97
(
0.23%
)
Post# of 248840
Next 10
Reply Private New
Public Reply Private Reply New Post
Keep Last Read
Keep Next 10 Report Keyboard Shortcuts
Next 10 Prev Next

Genz2

Send PM Follow Ignore
Followers 5
Posts 2594
Boards Moderated 0
Alias Born 09/06/2006

Genz2

Re: None

Thursday, 04/18/2019 10:50:37 AM

Thursday, April 18, 2019 10:50:37 AM

Post# of 248840
'Sea Turtle' Campaign Focuses on DNS Hijacking to Compromise Targets

https://www.bleepingcomputer.com/news/security/sea-turtle-campaign-focuses-on-dns-hijacking-to-compromise-targets/

For at least two years, a highly capable threat actor has been running a campaign that relied on DNS hijacking to reach their targets. In the operation, at least 40 public and private organizations in 13 countries have been compromised.

The domain name system (DNS) is the service that allows us to access websites by typing domain names instead of IP addresses in a browser's address bar. It translates the names into the numerical destination of the server hosting the web page we want to load.

Access to DNS records enables an attacker to replace the addresses of a target's name servers so that they point to their own infrastructure. Once in control of the name servers responsible for handling requests for IP addresses associated with web domains, the threat actor can direct victims to content on malicious servers.

Two types of victims

Dubbed Sea Turtle, the operation made victims located primarily in the Middle East and North Africa. The main targets are ministries of foreign affairs, military organizations, intelligence agencies, energy companies. The purpose of compromising them is cyber-espionage.

To gain access to their sensitive networks, the threat actor behind Sea Turtle compromised third-party entities responsible for responding to DNS queries for a target's web asset at various levels in the domain name space.

These include telcos, internet service providers (ISPs), IT companies, domain registrars (including those that manage country code top-level domains - ccTLDs), and one DNS registry. These are secondary targets.

Spear-phishing and old vulnerabilities

Researchers at Cisco's Talos security division on Wednesday published a report on the Sea Turtle campaign, linking it to DNS hijacking incidents involving Netnod registry and disclosed at the beginning of the year.

In a statement at the time, NetNod says that they were not the target of the attacks but a route for the attacker to "capture of login details for Internet services in countries outside of Sweden" by changing DNS records.

The attack vectors used in the Sea Turtle campaign was spear-phishing (at least in one instance) and multiple known vulnerabilities, one of them as old as 2009. The following is a likely incomplete list of security flaws used to gain initial access or to move laterally on a compromised network:

After changing the DNS records, Sea Turtle operators set up a man-in-the-middle (MitM) framework that impersonated legitimate services used by the victim with the purpose of stealing login credentials.

To evade detection, the actors performed "certificate impersonation," a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected "SSL padlock" in the URL bar.

Sea Turtle operators are very likely state-sponsored and despite the sophisticate approach to compromise targets, there are ways to make their work more difficult. Netnod proposes the following defense measures:
•Use DNSSEC (both signing zones and validating responses)
•Use registration features like Registry Lock and the like that can protect domain names from being changed
•Use classic access control lists for applications, Internet traffic and their monitoring
Use 2-factor authentication, and require it to be used by all relevant users and subcontractors
•In cases where passwords are used, use unique passwords and password managers
•Review accounts with registrars and other providers
•Monitor certificates by monitoring, for example, Certificate Transparency Log
=================================================================
This article serves as another great reason for organizations to use Wave VSC 2.0 across their computer fleets!!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/





























Public Reply Private Reply New Post
Keep Last Read
Keep Last Read Next 10 Report Keyboard Shortcuts
Next 10 Prev Next

Join the InvestorsHub Community

Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.

Sign Up