Attacks/Breaches

11/27/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Hacker Group Behind 'DNSpionage' Attacks in Middle East

Motives are not fully clear, though data exfiltration is one possibility, Cisco Talos says.

A previously unknown hacker group is targeting organizations in the United Arab Emirates and Lebanon in a campaign involving the use of fake job websites to drop malware on victim systems.

The campaign appears to be targeted at specific organizations in the two countries but the motives behind it remain somewhat unclear, Cisco's Talos threat intelligence group said in a report Monday. The attackers also have been attempting to redirect the DNS traffic of legitimate .gov and private company domains in the UAE and Lebanon. One of those targeted was Middle East Airlines, a private Lebanese airline company.

Paul Rascagneres, security researcher at Talos, says it's unclear how the attackers might have compromised nameservers belonging to the targeted entities for DNS redirection.  

Talos is also not sure if the DNS redirection attempts were in fact successful. As with the malware campaign, the motives behind the redirection efforts are not completely obvious though data exfiltration is likely one reason for both campaigns. Talos named the malware in the campaign as DNSpionage. 

"It's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks," the Talos report noted.

The new campaign is the second in recent months targeting Middle East organizations and is a sign of the recently heightened interest in the region among cyberattackers. In September, Check Point reported on new surveillance attacks on law enforcement and other organizations in Palestine and other Middle East regions by a group known as Big Bang.

A Siemens report from earlier this year described organizations in the oil and gas sectors in the Middle East particularly as being the most aggressively targeted in the world. Half of all cyberattacks in the region are targeted at companies in these two sectors. According to Siemens, a startling 75% or organizations in these sectors have been involved in at least one recent cyberattack that either disrupted their OT network or led to confidential data loss.

With the latest campaign, the infrastructure and the tactics, techniques and procedures that the threat actor is using are not something that Talos has been able to connect with any previously known group.

DNSpionage malware is being distributed via Microsoft Office documents hosted on two malicious websites designed to look like the jobs listing pages of two legitimate companies—Wipro and Suncor Energy. The hosted document is a copy of a legitimate file on Suncor's site

The malicious documents contain macros which when run drop DNSpionage on the target system. The malware is a Remote Access Trojan that supports HTTP and DNS communication with the attackers, and gets executed when the Microsoft Office document is closed. It appears designed to extract data from the compromised system and send it to the command and control system.

Rascagneres says the attackers appear to be using spear-phishing emails or social media contact to distribute links to the two malicious sites from where DNSpionage is being distributed.

Traffic Redirection Attacks

One of the IPs linked to the DNSpionage campaign was also used in DNS redirection attacks targeting multiple public sector organizations in the UAE and Lebanon between September and November. Hostnames under the control of these organizations were briefly redirected to the rogue IP for reasons that are not fully clear.

In each case, before the redirection occurred, the attackers created a certificate matching the targeted organization's domain name using certificates from Let's Encrypt, a provider of free X.509 certificates for TLS.

"The actor most likely used LE certificates as they are free," Rascagneres says. The certificates do not cause self-signed errors like other certificates do and are trusted by browsers. There are multiple reasons why the threat actor might be using the certificates. One example: to enable man-in-the-middle attacks, Rascagneres says.

The redirection attempts are noteworthy because the attackers appear to have been able to intercept all traffic - including email and VPN traffic - headed toward the compromised sites. This means if the redirection was successful, the attackers would have had a way to access additional information like email and VPN credentials, Talos said in its report.

Talos says it does not know how successful the DNS redirection attacks were. But the attacks have not stopped trying. So far this year, they have launched five DNS redirection attacks, the most recent of which was just two weeks ago, Talos said.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15031
PUBLISHED: 2018-12-18
In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information.
CVE-2018-19522
PUBLISHED: 2018-12-18
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
CVE-2018-1833
PUBLISHED: 2018-12-18
IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507.
CVE-2018-4015
PUBLISHED: 2018-12-18
An exploitable vulnerability exists in the HTTP client functionality of the Webroot BrightCloud SDK. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to...
CVE-2018-20201
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.