Widespread DNS hijacking attacks steal target's VPN credentials

Cisco’s Talos Intelligence researchers have raised the alarm over a new wave of attacks aimed at manipulating domain name service (DNS) systems to mess with the Internet’s address book and steal a target’s VPN credentials to gain entry to their network. 

The newly disclosed campaign, dubbed Sea Turtle, has affected 40 organizations in 13 countries, including national security organizations, mostly in the Middle East and North Africa, as well as ISPs, telcos, and DNS registrars. 

The attacks follow a warning from the US Department of Homeland Security (DHS) in January that DNS hijacking could be used to redirect a site’s traffic and steal valid digital certificates for a target’s domain names, allowing the attacker to decrypt SSL-protected traffic. 

Talos researchers in November detailed the work of a sophisticated hacking group called DNSpionage, which was followed up by a January report by FireEye detailing mass DNS record manipulation for a state-level spying campaign. DHS, in its first emergency directive, in February warned government agencies to protect logins for their domain records. 

Then later in February, Swedish Internet infrastructure provider Netnod revealed it was used by the attackers to stage a MITM (man-in-the-middle) attack that was aimed at stealing logins for Internet services from organizations outside of Sweden.   

While DNSpionage and Sea Turtle both use DNS hijacking and have overlapping timelines, Talos is almost certain that the two campaigns are being carried out by different actors, both of which are likely state-sponsored. 

“We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems,” Talos researchers warned today of the Sea Turtle campaign. 

The main targets of Sea Turtle were national security organizations, ministries of foreign affairs, and prominent energy organizations. However, the attackers first targeted firms that provide Internet infrastructure services prior to DNS hijacks on the primary targets. 

Talos researchers assess with “high confidence” that the Sea Turtle campaign is distinct from DNSpionage and that the new campaign “poses a more serious threat” since they’re targeting DNS registrars and registries, in turn undermining trust in core Internet services. 

The Sea Turtle campaign has also been running for at least two years. DNSpionage was reportedly run by Iran-based hackers. Talos has not attributed Sea Turtle to a particular nation.

Talos has detailed key traits of the Sea Turtle campaign that distinguish it from DNSpionage. Sea Turtle attackers perform DNS hijacking by using name servers they control, and they’ve been more aggressively targeting DNS registries and registrars, including those that manage ccTLDs (country code top-level domains). 

The Sea Turtle attackers use certificates from Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MITM servers to gain a first batch of credentials. Once inside a network, the actors steal a primary target’s legitimate SSL certificate and use it on actor-controlled servers.

The campaign is thought to be having success because the DNS domain space system was not baked in from the outset, which has resulted in many ccTLDs not implementing registrar locks, which would have prevented the attackers from redirecting traffic from a targeted domain. 

The other notable trait is that the attackers used “certificate impersonation” to do their dirty work, allowing them to steal a target’s SSL certificates that were for security appliances, such as Cisco’s ASA devices, to obtain valid VPN credentials. 

“This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network,” Talos researchers note. 

The emergence of DNS hijacking attacks prompted a warning from Internet Corporation for Assigned Names and Numbers (ICANN) in February for “full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names”. The measure would have gone some way to mitigation DNS hijacking attacks.