Attacks/Breaches

11/27/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Hacker Group Behind 'DNSpionage' Attacks in Middle East

Motives are not fully clear, though data exfiltration is one possibility, Cisco Talos says.

A previously unknown hacker group is targeting organizations in the United Arab Emirates and Lebanon in a campaign involving the use of fake job websites to drop malware on victim systems.

The campaign appears to be targeted at specific organizations in the two countries but the motives behind it remain somewhat unclear, Cisco's Talos threat intelligence group said in a report Monday. The attackers also have been attempting to redirect the DNS traffic of legitimate .gov and private company domains in the UAE and Lebanon. One of those targeted was Middle East Airlines, a private Lebanese airline company.

Paul Rascagneres, security researcher at Talos, says it's unclear how the attackers might have compromised nameservers belonging to the targeted entities for DNS redirection.  

Talos is also not sure if the DNS redirection attempts were in fact successful. As with the malware campaign, the motives behind the redirection efforts are not completely obvious though data exfiltration is likely one reason for both campaigns. Talos named the malware in the campaign as DNSpionage. 

"It's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks," the Talos report noted.

The new campaign is the second in recent months targeting Middle East organizations and is a sign of the recently heightened interest in the region among cyberattackers. In September, Check Point reported on new surveillance attacks on law enforcement and other organizations in Palestine and other Middle East regions by a group known as Big Bang.

A Siemens report from earlier this year described organizations in the oil and gas sectors in the Middle East particularly as being the most aggressively targeted in the world. Half of all cyberattacks in the region are targeted at companies in these two sectors. According to Siemens, a startling 75% or organizations in these sectors have been involved in at least one recent cyberattack that either disrupted their OT network or led to confidential data loss.

With the latest campaign, the infrastructure and the tactics, techniques and procedures that the threat actor is using are not something that Talos has been able to connect with any previously known group.

DNSpionage malware is being distributed via Microsoft Office documents hosted on two malicious websites designed to look like the jobs listing pages of two legitimate companies—Wipro and Suncor Energy. The hosted document is a copy of a legitimate file on Suncor's site

The malicious documents contain macros which when run drop DNSpionage on the target system. The malware is a Remote Access Trojan that supports HTTP and DNS communication with the attackers, and gets executed when the Microsoft Office document is closed. It appears designed to extract data from the compromised system and send it to the command and control system.

Rascagneres says the attackers appear to be using spear-phishing emails or social media contact to distribute links to the two malicious sites from where DNSpionage is being distributed.

Traffic Redirection Attacks

One of the IPs linked to the DNSpionage campaign was also used in DNS redirection attacks targeting multiple public sector organizations in the UAE and Lebanon between September and November. Hostnames under the control of these organizations were briefly redirected to the rogue IP for reasons that are not fully clear.

In each case, before the redirection occurred, the attackers created a certificate matching the targeted organization's domain name using certificates from Let's Encrypt, a provider of free X.509 certificates for TLS.

"The actor most likely used LE certificates as they are free," Rascagneres says. The certificates do not cause self-signed errors like other certificates do and are trusted by browsers. There are multiple reasons why the threat actor might be using the certificates. One example: to enable man-in-the-middle attacks, Rascagneres says.

The redirection attempts are noteworthy because the attackers appear to have been able to intercept all traffic - including email and VPN traffic - headed toward the compromised sites. This means if the redirection was successful, the attackers would have had a way to access additional information like email and VPN credentials, Talos said in its report.

Talos says it does not know how successful the DNS redirection attacks were. But the attacks have not stopped trying. So far this year, they have launched five DNS redirection attacks, the most recent of which was just two weeks ago, Talos said.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8955
PUBLISHED: 2019-02-21
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.