Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/27/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Hacker Group Behind 'DNSpionage' Attacks in Middle East

Motives are not fully clear, though data exfiltration is one possibility, Cisco Talos says.

A previously unknown hacker group is targeting organizations in the United Arab Emirates and Lebanon in a campaign involving the use of fake job websites to drop malware on victim systems.

The campaign appears to be targeted at specific organizations in the two countries but the motives behind it remain somewhat unclear, Cisco's Talos threat intelligence group said in a report Monday. The attackers also have been attempting to redirect the DNS traffic of legitimate .gov and private company domains in the UAE and Lebanon. One of those targeted was Middle East Airlines, a private Lebanese airline company.

Paul Rascagneres, security researcher at Talos, says it's unclear how the attackers might have compromised nameservers belonging to the targeted entities for DNS redirection.  

Talos is also not sure if the DNS redirection attempts were in fact successful. As with the malware campaign, the motives behind the redirection efforts are not completely obvious though data exfiltration is likely one reason for both campaigns. Talos named the malware in the campaign as DNSpionage. 

"It's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks," the Talos report noted.

The new campaign is the second in recent months targeting Middle East organizations and is a sign of the recently heightened interest in the region among cyberattackers. In September, Check Point reported on new surveillance attacks on law enforcement and other organizations in Palestine and other Middle East regions by a group known as Big Bang.

A Siemens report from earlier this year described organizations in the oil and gas sectors in the Middle East particularly as being the most aggressively targeted in the world. Half of all cyberattacks in the region are targeted at companies in these two sectors. According to Siemens, a startling 75% or organizations in these sectors have been involved in at least one recent cyberattack that either disrupted their OT network or led to confidential data loss.

With the latest campaign, the infrastructure and the tactics, techniques and procedures that the threat actor is using are not something that Talos has been able to connect with any previously known group.

DNSpionage malware is being distributed via Microsoft Office documents hosted on two malicious websites designed to look like the jobs listing pages of two legitimate companies—Wipro and Suncor Energy. The hosted document is a copy of a legitimate file on Suncor's site

The malicious documents contain macros which when run drop DNSpionage on the target system. The malware is a Remote Access Trojan that supports HTTP and DNS communication with the attackers, and gets executed when the Microsoft Office document is closed. It appears designed to extract data from the compromised system and send it to the command and control system.

Rascagneres says the attackers appear to be using spear-phishing emails or social media contact to distribute links to the two malicious sites from where DNSpionage is being distributed.

Traffic Redirection Attacks

One of the IPs linked to the DNSpionage campaign was also used in DNS redirection attacks targeting multiple public sector organizations in the UAE and Lebanon between September and November. Hostnames under the control of these organizations were briefly redirected to the rogue IP for reasons that are not fully clear.

In each case, before the redirection occurred, the attackers created a certificate matching the targeted organization's domain name using certificates from Let's Encrypt, a provider of free X.509 certificates for TLS.

"The actor most likely used LE certificates as they are free," Rascagneres says. The certificates do not cause self-signed errors like other certificates do and are trusted by browsers. There are multiple reasons why the threat actor might be using the certificates. One example: to enable man-in-the-middle attacks, Rascagneres says.

The redirection attempts are noteworthy because the attackers appear to have been able to intercept all traffic - including email and VPN traffic - headed toward the compromised sites. This means if the redirection was successful, the attackers would have had a way to access additional information like email and VPN credentials, Talos said in its report.

Talos says it does not know how successful the DNS redirection attacks were. But the attacks have not stopped trying. So far this year, they have launched five DNS redirection attacks, the most recent of which was just two weeks ago, Talos said.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.