The wave of domain hijackings besetting the Internet is worse than we thought

The wave of domain hijacking attacks besetting the Internet over the past few months is worse than previously thought, according to a new report that says state-sponsored actors have continued to brazenly target key infrastructure despite growing awareness of the operation.

The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.

Reverse DNS records show that in late March nsd.cafax.com resolved to a malicious IP address controlled by the attackers. NSD is often used to abbreviate name server demon, an open-source app for managing DNS servers. It looks unlikely that the attackers succeeded in actually compromising Cafax, although it wasn't possible to rule out the possibility.

"I've also seen attributions to this name," Liman told Ars, referring to nsd.cafax.com. "The strange thing is that that name doesn't exist. There is, and, as far as I can remember, has never been, such a name in the legitimate cafax.se domain." He said the techniques involved in the March attack are consistent with the Netnod hijacking. Asked how the March attack affected Cafax customers, Liman wrote: "I don't know. I was not in a position to observe things as they happened, so I don't know what the black hats did."

The hackers—whom Talos claims are sponsored by the government of an unnamed country—carry out sophisticated attacks that typically start by exploiting known vulnerabilities in targets’ networks (in one known case they used spear phishing emails). The attackers use this initial access to obtain credentials that allow them to alter the DNS settings of the targets.

Persistent access

Short for "domain name system," DNS is one of the Internet’s most fundamental services. It translates human-readable domain names into the IP addresses one computer needs to locate other computers over the global network. DNS hijacking works by falsifying the DNS records to cause a domain to point to an IP address controlled by a hacker rather than the domain’s rightful owner. The ultimate objective of the campaign reported by Talos is to use the hijacked domains to steal login credentials that give persistent access to networks and systems of interest.

To do that, the attackers first alter DNS settings for targeted DNS registrars, telecom companies, and ISPs—companies like Cafax and Netnod. The attackers then use their control of these services to attack primary targets that use the services. The primary targets include national security organizations, ministries of foreign affairs, and prominent energy organizations, almost all of which are in the Middle East and North Africa. In all, Cisco has identified 40 organizations in 13 countries that have had their domains hijacked since as early as January 2017.

Despite widespread attention since the beginning of the year, the hijackings show no signs of abating (which is the usual course of action once a state-sponsored hacking operation becomes well-known). Reverse lookups of 27 IP addresses Cisco identified as belonging to the hackers (some of which were previously published by security firm Crowdstrike) show that besides Cafax, domains for the following organizations have all been hijacked in the past six weeks:

• mofa.gov.sy, belonging to Syria’s Ministry of Foreign Affairs
• syriatel.sy, belonging to Syrian mobile telecommunications provider Syriatel
• owa.gov.cy, a Microsoft Outlook Web access portal for the government of Cyprus (also previously hijacked by the same attackers)
• syriamoi.gov.sy, Syria’s Ministry of Interior

Attacking the foundation

In Wednesday’s report, Talos researchers Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney, and Paul Rascagneres wrote:

While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have in the Internet. That trust, and the stability of the DNS system as a whole, drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.

Talos is calling the campaign “Sea Turtle,” which it says is distinctly different and independent from the DNSpionage mass DNS hijacking campaign Talos reported as targeting Middle East organizations last November. Since the beginning of the year, most researchers and reporters believed Sea Turtle was a continuation of DNSpionage.

In an email, Talos' outreach director, Craig Williams, explained:

DNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, a distinct difference is their level of maturity and capability. In DNSpionage we observed some failings, i.e. one of their malware samples was leaving a debug log. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Overlapping [techniques, tactics and procedures] are rife due to the very closely related nature of the attacks. Without additional intelligence it would be a fair assumption to see these attacks as one of the same. Our visibility, on the other hand, makes it very clear these are two different groups.

Talos was able to determine this distinction due to additional insights which other organizations may not have had access to. We assess, as mentioned, with high confidence that we believe DNSpionage and Sea Turtle are not related directly.

One of the things that makes Sea Turtle more mature is its use of a constellation of exploits that collectively allow its operators to gain initial access or to move laterally within the network of a targeted organization. Cisco is aware of seven now-patched vulnerabilities Sea Turtle targets:

• CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin
• CVE-2014-6271: remote code execution vulnerability in the GNU bash system, specifically SMTP (this was part of the vulnerabilities related to Shellshock)
• CVE-2017-3881: remote code execution vulnerability by unauthenticated user with elevated privileges in Cisco switches
• CVE-2017-6736: remote code exploit vulnerability in Cisco 2811 Integrated Services Routers
• CVE-2017-12617: remote code execution vulnerability in Apache Web servers running Tomcat
• CVE-2018-0296: directory traversal vulnerability allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls
• CVE-2018-7600: the so-called Drupalgeddon2 vulnerability in the Drupal content management system that allows remote code execution

Talos researchers said Sea Turtle used spear phishing in a previously reported compromise of Packet Clearing House, a Northern California non-profit that manages significant amounts of the world’s DNS infrastructure. In that case, as KrebsOnSecurity previously reported, attackers used the email to phish credentials that PCH’s registrar used to send the Extensible Provisioning Protocol messages that act as a back-end for the global DNS system.

Once Sea Turtle hackers gain initial access to a target, they work to move laterally through its network until they acquire the credentials required to modify DNS records for domains of interest. Once the domains resolve to Sea Turtle-controlled IP addresses, the actors perform man-in-the-middle attacks that capture credentials of legitimate users logging in.

Sea Turtle uses legitimate, browser-trusted TLS certificates for the hijacked domains to hide the attacks. The certificates are obtained by using attackers' control of the domain to purchase a valid TLS certificate from a certificate authority. (Most CAs require only that a buyer prove it has control of the domain by, for instance, displaying a CA-provided code at a specific URL.) With increased control of the domain over time, attackers often go on to steal the TLS certificate originally issued to the domain owner.

VPNs? No problem

The hackers also use legitimate certificates to impersonate virtual private network applications or devices, including Cisco’s Adaptive Security Appliance products. This impersonation then is used to facilitate man-in-the-middle attacks.

“By gaining access to the SSLVPN certificate used to provide the VPN portal, an individual user will be easily tricked into believing it is a legitimate service of their organization,” Williams told Ars. “Sea Turtle would then be able to easily harvest valid VPN credentials and with that they would be able to gain further access to their target infrastructure.”

The hijackings last anywhere from minutes to days. In many cases, the intervals were so short that the malicious domain resolutions aren’t reflected in passive DNS lookups. Below are diagrams outlining the methodology:

Another way that Sea Turtle stands out is its use of attacker-controlled name servers. DNSpionage, by contrast, made use of compromised name servers that belonged to other entities. Sea Turtle was able to do this by compromising DNS registrars and other service providers, and then forcing them to the hacker-controlled name servers.

Secrets to success

Talos said Sea Turtle has continued to be highly successful for several reasons. For one, intrusion detection and intrusion prevention systems aren’t designed to log DNS requests. That leaves a major blind spot for people who are trying to detect attacks on their networks.

Another reason is that DNS was designed in a much earlier era of the Internet, when parties trusted each other to act benignly. It was only much later that engineers devised security measures such as DNSSEC—a protection designed to defeat domain hijackings by requiring DNS records to be digitally signed. Many registries still don’t use DNSSEC, but even when it is used, it’s not a guarantee it will stop Sea Turtle. In one of the attacks on Netnod, the hackers used their control of Netnod’s registrar to disable DNSSEC for long enough to generate valid TLS certificates for two Netnod email servers.

The previously overlooked technique allowing browser-trusted certificate impersonation has also contributed greatly to Sea Turtle’s success.

Wednesday’s report is the latest reminder of the importance of locking down DNS networks. Measures include:

• Using DNSSEC for both signing zones and validating responses
• Using Registry Lock or similar services to help protect domain name records from being changed
• Using access control lists for applications, Internet traffic, and monitoring
• Mandating multi-factor authentication for all users, including subcontractors
• Using strong passwords, with the help of password managers if necessary
• Regularly reviewing accounts with registrars and other providers to check for signs of compromise
• Monitoring for the issuance of unauthorized TLS certificates for domains

The report also details indicators of compromise that network administrators can use to determine if their networks have been targeted by Sea Turtle. For networks that have been compromised, undoing the damage goes well beyond restoring the rightful DNS settings.

“There has been this huge resistance to believing how bad these compromises are,” Bill Woodcock, executive director of Packet Clearing House, told Ars. “The very first thing [attackers] do when they get in is start trying to put in a bunch more backdoors, so you really have to turn things upside down to have any reasonable assurance of security going forward. There are a lot of people who think of these things as brief incidents rather than thinking of them as ongoing campaigns.”