A wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa have been linked to Iran. The attacks, which have been ongoing over the past two years, have had “a high degree of success” harvesting targets’ credentials, according to researchers.
Researchers at FireEye said that the attacks were launched mainly against government, telecom and internet infrastructure firms. Attacks involved intercepting traffic from firms with the goal of harvesting victims’ usernames, passwords and domain credentials.
Researchers believe the adversaries behind the attacks are Iran-based cyber espionage actors. “While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran,” said FireEye researchers Muks Hirani, Sarah Jones and Ben Read who co-authored the report.
The attacks have been observed in clusters between January 2017 to January 2019, the researchers said in the Wednesday analysis of the attacks.
“This campaign has targeted victims across the globe on an almost unprecedented scale,” according to FireEye. “A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates.”
Alister Shepherd, MEA Director of Mandiant at FireEye, told Threatpost that the campaign is ongoing – but there is no indication of how many credentials have been harvested thus far. Researchers identified three varieties of attacks, each affecting dozens of domains.
DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer’s transmission control protocol/internet protocol (TCP/IP) settings – generally by modifying a server’s settings.
While this campaign employs some traditional tactics, “it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale,” said researchers. “The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways.”
Specifically, the attacker uses three different methods to carry out the DNS hijacking attacks.
In the first technique, they log into the DNS provider’s administration panel using previously-compromised credentials (likely scooped through phishing techniques, etc.). They then change the DNS A records to intercept the traffic. An A Record is a type of DNS record (used to control the location of a resource on the internet) that points a logical domain name to the IP address of that domain’s hosting server.
In a second technique the attackers use a similar method (previously-compromised credentials) to log into the admin panel, and from there they hack into the victim’s domain registrar account and change DNS NS records. The NS records specify the servers providing DNS services for that domain name, so in changing them attackers could redirect traffic to a different attacker-controlled server.
In a third method attackers use a DNS redirector, an attacker operations box which responds to DNS requests (as well as altered A and NS records) to redirect victim traffic to attacker-maintained infrastructure.
In all cases the attackers uses a Let’s Encrypt Certificate, a free, automated, and open certificate authority which allows the browsers to establish a connection without any certificate errors as the certificate can be trusted. That helps the attackers slip by without notice as the victim is unaware of any changes and may only notice a slight delay.
While researchers said that attribution for the campaign is ongoing, they assess “with moderate confidence” that the activity is conducted by a group or groups in Iran and that the activity aligns with Iranian government interests.
This is because they discovered Iranian IPs were being used to access machines that were then used to intercept and redirect the network traffic. Further, the victims targeted include Middle Eastern governments whose confidential information would be interest to the Iranian government.
“While geolocation of an IP address is a weak indicator, these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors,” said the researchers.
Previous Campaigns
This most recent DNS hijacking campaign “showcases the continuing evolution in tactics from Iran-based actors,” FireEye researchers stressed. “This is an overview of one set of TTPs that we recently observed affecting multiple entities.”
The infrastructure used is related to the attacker previously reported by Cisco Talos researchers in November according to Paul Rascagneres, researcher at Cisco Talos, on Twitter.
Interesting, @FireEye published some details on the infrastructure used by the attacker for the DNS redirection mentioned in our #DNSpionage post: https://t.co/AomVXwnvOF (our post for the context: https://t.co/EzOcfXyznK)
— Paul Rascagnères (@r00tbsd) January 10, 2019
Back in November, Talos researchers had detailed the campaign which they found was targeting Lebanon and the United Arab Emirates, as well as a private Labense airline company.
During that campaign the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let’s Encrypt certificates for the redirected domains.
That campaign in particular used two fake, malicious websites containing job postings that were utilized to compromise targets via malicious Microsoft Office documents with embedded macros.
Shepherd told Threatpost that “based on the attacker indicators provided in the November blog, we could confirm overlap with the limited campaign reported therein, but we would not be able to comment on the victim details revealed by Talos.”
In terms of prevention researchers urged potential victims to implement multi-factor authentication on domain’s administration portals, validate changes for DNS A and NS records, and search for and revoke any malicious certificates related to their domain.