Attacks/Breaches

11/27/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Hacker Group Behind 'DNSpionage' Attacks in Middle East

Motives are not fully clear, though data exfiltration is one possibility, Cisco Talos says.

A previously unknown hacker group is targeting organizations in the United Arab Emirates and Lebanon in a campaign involving the use of fake job websites to drop malware on victim systems.

The campaign appears to be targeted at specific organizations in the two countries but the motives behind it remain somewhat unclear, Cisco's Talos threat intelligence group said in a report Monday. The attackers also have been attempting to redirect the DNS traffic of legitimate .gov and private company domains in the UAE and Lebanon. One of those targeted was Middle East Airlines, a private Lebanese airline company.

Paul Rascagneres, security researcher at Talos, says it's unclear how the attackers might have compromised nameservers belonging to the targeted entities for DNS redirection.  

Talos is also not sure if the DNS redirection attempts were in fact successful. As with the malware campaign, the motives behind the redirection efforts are not completely obvious though data exfiltration is likely one reason for both campaigns. Talos named the malware in the campaign as DNSpionage. 

"It's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks," the Talos report noted.

The new campaign is the second in recent months targeting Middle East organizations and is a sign of the recently heightened interest in the region among cyberattackers. In September, Check Point reported on new surveillance attacks on law enforcement and other organizations in Palestine and other Middle East regions by a group known as Big Bang.

A Siemens report from earlier this year described organizations in the oil and gas sectors in the Middle East particularly as being the most aggressively targeted in the world. Half of all cyberattacks in the region are targeted at companies in these two sectors. According to Siemens, a startling 75% or organizations in these sectors have been involved in at least one recent cyberattack that either disrupted their OT network or led to confidential data loss.

With the latest campaign, the infrastructure and the tactics, techniques and procedures that the threat actor is using are not something that Talos has been able to connect with any previously known group.

DNSpionage malware is being distributed via Microsoft Office documents hosted on two malicious websites designed to look like the jobs listing pages of two legitimate companies—Wipro and Suncor Energy. The hosted document is a copy of a legitimate file on Suncor's site

The malicious documents contain macros which when run drop DNSpionage on the target system. The malware is a Remote Access Trojan that supports HTTP and DNS communication with the attackers, and gets executed when the Microsoft Office document is closed. It appears designed to extract data from the compromised system and send it to the command and control system.

Rascagneres says the attackers appear to be using spear-phishing emails or social media contact to distribute links to the two malicious sites from where DNSpionage is being distributed.

Traffic Redirection Attacks

One of the IPs linked to the DNSpionage campaign was also used in DNS redirection attacks targeting multiple public sector organizations in the UAE and Lebanon between September and November. Hostnames under the control of these organizations were briefly redirected to the rogue IP for reasons that are not fully clear.

In each case, before the redirection occurred, the attackers created a certificate matching the targeted organization's domain name using certificates from Let's Encrypt, a provider of free X.509 certificates for TLS.

"The actor most likely used LE certificates as they are free," Rascagneres says. The certificates do not cause self-signed errors like other certificates do and are trusted by browsers. There are multiple reasons why the threat actor might be using the certificates. One example: to enable man-in-the-middle attacks, Rascagneres says.

The redirection attempts are noteworthy because the attackers appear to have been able to intercept all traffic - including email and VPN traffic - headed toward the compromised sites. This means if the redirection was successful, the attackers would have had a way to access additional information like email and VPN credentials, Talos said in its report.

Talos says it does not know how successful the DNS redirection attacks were. But the attacks have not stopped trying. So far this year, they have launched five DNS redirection attacks, the most recent of which was just two weeks ago, Talos said.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
CVE-2018-15805
PUBLISHED: 2018-12-10
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
CVE-2018-16635
PUBLISHED: 2018-12-10
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.