CyberWire Daily - Sea Turtle state-sponsored DNS hijacking. [Research Saturday]
Episode Date: May 4, 2019Researchers at Cisco Talos have been tracking what they believe is a state-sponsored attack on DNS systems, targeting the Middle East and North Africa. This attack has the potential to erode trust and... stability of the DNS system, so critical to the global economy. Craig Williams is director of Talos Outreach at Cisco, and he joins us to share their findings. The original research can be found here: https://blog.talosintelligence.com/2019/04/seaturtle.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So we've been watching, you know, DNS redirection campaigns since November of last year.
You know, we were the first company to post about DNS espionage and really notice these campaigns.
That's Craig Williams. He's the director of outreach at Cisco Talos. The research we're discussing today is Sea Turtle.
DNS hijacking abuses trust in core internet service. You know, the way I tried
to explain it to my wife was basically like, you know, imagine, you know, when you first see a car,
of course, every car looks alike, right? But the more you learn about them and the more you learn
about the models and the different kinds, well, all of a sudden, you're not just looking at cars,
you're looking at minivans, you're looking at sports cars, you're looking at convertibles,
and you notice things like different colors in the paint and different types of mirrors and different types of wheels.
And so really that's what our intelligence allowed us to start to distill down. And when it came down
to it, we were able to definitively identify at least two different groups operating in a similar
manner. And, you know, I want to be really clear here because I've seen a lot of, I don't want to
say bad reporting, but like people who don't have enough detail to say the
things that they're saying and they want to combine these groups together now the
reason they want to do that is because some of our competitors basically group
the IOC's together which was completely understandable right without the insight
that we provided and the write-up, these groups could look similar to you.
So we're not even saying they're wrong.
We're just saying that when you look deeper, you do see definitive differences.
So I think it's important that people actually read the post and don't just throw out, it's
one group and we like it being one group.
It's nice when things fit in buckets in life.
And I understand that everyone would like to have one bucket with all the bad things in it, but the reality is that's not how cybercrime works, right?
Attackers watch each other, they copy each other's methodologies, and they improve upon it.
And what we see with Sea Turtle is really a distinct set of TTPs that's more advanced and much harder to detect than what we saw with the Dean Espionage campaign.
more advanced and much harder to detect than what we saw with the DNSpionage campaign.
So let's start off from the very top. I mean, in your research here, you start off describing this as a state-sponsored attack manipulating DNS systems. What leads you to believe it's state-sponsored?
Well, there's a couple of things. I think the primary one is the sophistication, right? The
way that this attack was designed was basically almost
undetectable to the target. You know, the second one I think is really who did they target, right?
With, with D&S Biennage, we saw civilian business government targets all bundled together, right? A
real grab bag style approach. With Sea Turtle, on the other hand, we see very, very different set of targets.
These targets are pretty much exclusively national security, government, and military.
So when you look at it from that perspective, it really comes off as a pure espionage play
as opposed to one that maybe was targeting intellectual property and whatever else they could find.
So before we dig into some of the details of
Sea Turtle, can you give us a quick overview? What exactly are we talking about with DNS hijacking?
Sure. So in the post, we have a nice simple 11 stage graphic you can follow along with.
So, you know, this was a long campaign. So I don't want to pretend that there was like a,
this happened, this happened, this happened, this happened. It was more of a phases of the attack, which is why we attempted
to break that down in our graphic. So, you know, the stage one of the attack is basically the
attacker gaining access to an entity. And that could be a registrar that could be a hosting
provider, but a company that could allow them access to a way to update where the DNS registry
pointed. And so they would compromise that facility. They would obtain credentials. They
would use that to exfiltrate data, basically more credentials, and then update the DNS record.
And once they had the DNS record updated through the update command. But basically, they would redirect the domain to their name server.
So again, another distinct difference from DNS espionage.
DNS espionage would compromise name servers.
CTurtle used their own name servers.
And so think about how this looks, right?
So basically, you find a way to compromise the registry and basically access it and send the update command.
You point it at the attacker's server.
The attacker's name server then provides the lookup and points at their man-in-the-middle server.
At no point in time would the actual target see any of this.
So this is basically attacking in a roundabout way that's literally going to bypass the target
and yet still provide you all that nice man-in-the-middle information you want.
Now, when you say target, is the target the original owner of the site that's being redirected,
or is it the users of that site?
I would say both.
So let's say I'm a foreign government, right?
And let's say I would really like to spy on countries nearby, right?
Okay.
Let's say I want to get into their national security organizations, and I want to be able
to access their confidential information so that if there's anything I need to be aware
of, I can access that just pretty much whenever I want.
So I would go to whatever the country code is.
I would look up their national security agency domain.
Then I would figure out, oh, that's registered over at this provider that I happen to be able to access.
Well, let me send the update command and let me point that domain to me. And then when the NS
lookup comes in, it goes to my server. My server then says, oh, my other server over here that
happens to look just like that national security organization's website is right here. Feel free
to log in.
And they'll do this for a few minutes or a day, collect credentials. And in some cases, we even saw them using those collected credentials to go back to the target server,
access it, and then take out credentials in order to steal things like SSL certs and other
encryption keys so that if they wanted to impersonate, say, the VPN, it would look legitimate.
Yeah. Let's dig into that a little bit. I mean, because I guess, is there a false sense of
security with some of these certificates? Well, so I think the problem here is that,
you know, people have an implicit trust of DNS, right? Now, when we looked at DNS binage,
they were only using self-signed certificates.
And so, if you looked at your browser window, the little lock wouldn't look right,
and you should be like, hmm, do I really want to enter my password? Now, the reality is nobody
checks that. Maybe there's 11 of us. But it's not common. And so, I think what we saw with
cTurtle was a sophistication to not only try to
bypass that, but to also make sure that they could access any traffic that should have been encrypted.
Right. And so, you know, it's it's the next level of sophistication. And again, they didn't do this
all the time, but we did see it. And I think it's an example of how sophisticated this can be.
You know, and if you look at the number of areas attacked right i mean
it was a very specific group and you know and even recently there was a post over the weekend about
the greece cctld being targeted so this isn't stopped and this is one of the things that i
think is the most fascinating about this i would say like what 95 plus percent of nation state attacks. Well, the second any of those IOCs
become public, they tend to stop. Right. And we can look back at things like a VPN filter,
you know, things like not pet yet. Once it became public or once the thing happened,
they stopped. Right. We know for a fact that when our DNS espionage right up went out,
some of our competitors grouped some of these iocs together and effectively showed off pieces of the sea
turtle campaign without knowing what they'd actually found now think about that from a
apt perspective right i as a country attacking other nation states just had you know my campaign
revealed and it was misattributed to another country it's basically like giving them a get out of jail free card right that's a good day for me
yeah that's a great day right and i just go change my ttps i come back in a week and i can continue
on meanwhile everything i've done up until this point i just got to pass on now the weird part
here is they didn't stop and they didn't change. So there's a brazenness to this.
Absolutely.
And it's something that we don't see every day.
So it's concerning when you look at it from that perspective, because it really leaves
you with the thought of what would it take to dissuade this actor?
Because we can't allow people to attack things like DNS, right?
We can't allow countries to wipe other countries off the internet
in
you know well
yeah i mean to that point uh... just uh... this morning as we record this
uh... there was a story of from cyber scoop that uh... admiral robert strayer
from
uh... he's a deputy assistant secretary of state he said that one of the norms
uh... is disrupting physical infrastructure providing services to the
public and i think that fully encapsulates the internet's dns function He said that one of the norms is disrupting physical infrastructure, providing services to the public.
And I think that fully encapsulates the Internet's DNS function.
Absolutely. And that kind of thing should be off limits.
Right. We don't we don't condone people carpet bombing cities.
You know, that's clearly off limits.
And I think we need to reach a point where we all agree that there are things because because the internet is such a driver of the global economy, that should be off limits. You shouldn't be able to tamper with an
entire country's DNS, right? If nation states want to spy on each other, we all know that's
going to happen. But let's agree that if you're going to spy on each other, do so in a way that
it doesn't damage the fundamental trust in DNS, which could affect global economies.
Let me ask you about that, because if I'm running
a man in the middle here, let me play devil's advocate. If I'm running the man in the middle
here and the folks who are going to use this service are able to still log onto this website
and do the things that they want to do in the ways that they do them, How is this monkeying with DNS really breaking anything?
Do you follow my line of thinking there?
Well, absolutely.
Well, let's think about how most users use passwords.
Yeah.
How many passwords do you think your mom has?
Yeah.
You can see my point.
Yeah, I think you can hear the answer in my exasperated sigh.
Yeah.
You know, and so I got a lot of critical feedback on this one, more so than usual, because people have very strong emotions around DNS.
Yeah.
And so one of the things we suggested was like, if your registrar allows it, you know, turn on a registry lock.
It is the same advice we gave back when Kaminsky was talking about the DNS cache poisoning.
It is the same advice we gave back when Kaminsky was talking about the Dinesh cash poisoning.
And I had somebody, you know, I don't know, maybe frustrated or angrily, tell people that that's just a Band-Aid.
And my response is like, so what?
Like if I'm bleeding out of my arm, wouldn't I rather put a Band-Aid on it than just let dirt and gunk get in there and get all infected?
You know, we're not saying that there's a perfect solution here.
We're saying there's a series of things that you can do. Let's call it first aid that will help,
right? It may not solve the solution, right? If somebody decides to chop your arm off, yeah,
you're a band-aid is not really going to help, but if they're just collecting, you know, tiny cuts,
yeah, maybe it'll help. So, you know, I think there's a couple of things to do, right? The first one is just simply patch.
You know, we listed a list of CVEs that we know this actor was using to compromise systems
in order to update records.
Patching those is easy, right?
Now, the second thing, let's assume this is a sophisticated actor, right?
They're going to find a way in.
They're just going to, from what we've seen.
They're very tenacious.
So, okay, let's assume they can get in.
Well, what can you do?
Well, I think the first thing is have two-factor authentication turned on.
I mean, in this day and age, you need two-factor authentication to log into Twitter and Facebook from different computers.
That's great.
Everybody knows how to use it now.
My mom can use two-factor.
So, if you haven't turned on two-factor, particularly if you're a TLD that doesn't support registry locks or things
like that, or maybe you have a really, really simple and easy to bypass one where you just
click a button, you know, or you can allow somebody to just turn it off from logging in.
Yeah, turn on two-factor. There's no reason not to anymore. It's pretty cheap. You know,
you can probably do it for free with Google Authenticator or, you know, let me plug the
shell out lots of money for Duo because it's the best and it's super cool okay craig but you know there's things like that that
are not hard to do and it's relatively easy you know i you know i i'm saying this with two of the
cves being cisco cves but you know i know updating a switch sucks. It's not fun. Right. But do so, please.
Well, but let me continue down this path of being devil's advocate, though, because I think
using the analogy of, you know, carpet bombing neighborhoods or like I think of like shutting
down a hospital, you know, we generally agree that hospitals are off limits. But it seems to
me that in this case,
the monkeying that they're doing with DNS in this case isn't taking sites offline.
They're using it as a means to get the information they want
rather than being an agent of destruction or chaos.
Correct.
Right now, they are being downright surgical.
Now, what do we know about attacks on the internet?
I would argue every single time someone finds a clever way to string
together attacks to accomplish a goal every bad guy you know it's that turn
your head meme and whistle or whatever every bad guy sees that is like man I'd
really really love to do that to blah blah blah blah and so our concern here
is that right now this actor is being surgical
what happens when they decide not to be what happens when they decide to say you know take
syria off the internet right or what happens when somebody tries to copycat this only they're not as
sophisticated and they accidentally end up erasing a bunch of stuff at a registry or just knocking over servers or, you know, who knows, right?
There's a lot of ways this could go wrong accidentally. There's a lot of ways this could
be abused to take entire ccTLDs and things like that offline. There's a lot of ways, you know,
imagine if you just went in and updated random records to random websites just to cause chaos.
Right. I mean, there's a lot of really bad stuff this actor could have done if
they wanted to be destructive and they didn't. So we know right now that this actor is basically
executing on a mission and that mission appears to be very specific right now. Now the concern is
what happens if that mission statement changes and what happens when somebody else copies this
methodology to accomplish different missions. And the other interesting thing to notice is
if you look at the things that were hijacked like with the you know the
Swedish consulting firm they hijacked the mail subdomain right and so obviously
you're thinking why would they do that oh right because it would pass the
passwords most likely in the clear the same reason they target the VPN endpoints.
This actor is targeting credentials because that will give them access
to the actual National Security Service servers.
And then presumably they go back to that whole espionage thing.
So right now it's surgical.
It doesn't have to stay that way.
So in terms of coming at this I mean it
strikes me that obviously you have preventing them from being able to do
this and this is what we've just talked about using multi-factor using you know
those locking down your DNS records is the other half of that political of
establishing social norms I mean do we do we have treaties
for cyberspace where we say these are the things we will not do i think we've got to start
considering that you know i think we're clearly seeing nation-state attacks escalate against other
nation-states we've clearly seen a trend of certain actors who don't play well on the internet
not care if they cause say the olympics to go down or entire countries't play well on the internet not care if they cause, say, the Olympics
to go down or entire countries to be wiped out the internet. That can't be acceptable, right?
We've got to find a way to send a message without destroying innocent bystanders.
Obviously, this is a sophisticated group, but like you said, the methods here would be accessible to you know the the
script kitty in their basement who could inadvertently cause a lot of damage and
I suppose that's part of the issue here is that there's a there's a capability
to be disproportional in the amount of damage you can cause relative to your I
guess skill level absolutely Absolutely. You know,
and unfortunately, yesterday when we released the Kharkov malware update for DNS binage,
we did tie it back to the APT34 dump with some tools that would allow someone to do simplistic
hijacking. Again, we don't believe that that's linked to Sea Turtle, but we've already seen
tools that are similar to what was used in the sea turtle campaign leaked publicly as of last week.
So I think this type of abuse is only going to continue.
I think, you know, as people in the security industry, we've got to sit back and realize DNS is not as secure as we'd like.
as we'd like. And then with that in mind, let's start figuring out what band-aids we have available and where we can put them and then figure out what are the other risks and start taking
steps to mitigate those. Does this prompt a fundamental relooking at how DNS works and
how we can better secure it? Or is it too late to graft on new security measures?
You know, grafting on security after the fact is always super successful.
Well, I know.
You know, I think it's always good to sit back and take another look, right?
We learn new things and we see new clever ways to manipulate things all the time.
And so I think, you know, yeah, let's sit back and look at DNS, you know, think about
can we improve anything here?
Can we bolt on security, right?
And if we can and we can improve something, that would be great.
I think we've got to, though, at the same time, realize that maybe we can't bolt on more security.
So what can we do around this to help secure it?
What other options do we have available?
I think you've really got to look at it from all angles because a lot of the time when you see people abuse these type of things, you don't notice all the potential
avenues for abuse. And I think really the only thing that really reveals those is time. I mean,
if we look back at, you know, I hate to pick on Microsoft, but if we look back on MSRPC and SMBV1,
I mean, for a period of years, we would see a new way to abuse it or evade it just about every six
months, right? I remember being able to take
a Metasploit attack that would be like a 2k PCAP and you could literally fragment it until the
connection would almost time out. I mean, you could end up with hundreds of megs of a single attack.
So, I mean, in terms of the big picture, in terms of the take-homes and actions people should be
taking to protect themselves, What are your recommendations?
Well, I think the first thing is to figure out, you know,
are you potentially the target of a nation state actor that wants to have,
continue their espionage activities in Northern Africa or the Middle East?
If you are, you should immediately turn on two-factor authentication and do a site-wide password reset.
I think the second thing everyone needs to do is make sure that their infrastructure is patched.
Go talk to their providers. Go talk to the people who they buy their domains from and make sure that those systems are patched.
Make sure that if you can turn on things like a registry lock and ensure out of bands communications, you do so.
Go make sure that you're using two factor on those sites, that you're using unique passwords everywhere you can.
And realize that, hey, my domain might get hijacked. Can I detect
that? Do I have the tools in place to detect that? Do I have a system to tell me if someone starts
generating self-signed certificates and is using it around the internet, you know, representing me?
And so look for things like that. Think out of the box. And I think really it's going to come down to,
you know, are you potentially the target of a nation state attack? You know, nation state attacks don't typically target Steve's website, right? Or
home hobbyists. These are going to be large corporations or government or military entities.
I think people need to realize that this actor is not stopping. This is going on today. I think
this will continue to go on. I think while people would love to group
it into one thing, we're going to continue to see other attackers adopt these methodologies
because they're so effective. So I would urge people to keep an open mind and not jump at
attribution. It's easy to plant false flags, you know, and I think attribution really is something
that needs to be done carefully. Our thanks to Craig Williams from Cisco Talos for joining us.
The research is titled Sea Turtle.
DNS hijacking abuses trust in core Internet service.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. Thanks for listening.