Iran linked to new DNS manipulation attack

News by Rene Millman

Security researchers discover DNS hijacking attacks are targeting telecoms firms and governments and are being linked back to attackers in Iran.

Hackers have targeted DNS servers, hijacking them to redirect traffic in a bid to access credentials to be used in future attacks.

According to a blog post by researchers at FireEye, a suspected group of hackers backed by Iran has targeted government, telecommunications and internet infrastructure organisations across the Middle East and North Africa, Europe and North America. 

Researches said they believed an Iranian-based group is behind the attacks and the victims include governments whose confidential information would have relatively little financial value but would be of interest to the Iranian government.

They added that the attacks have been carried out in waves between January 2017 to January 2019 and have had "a high degree of success".

"While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran," said FireEye researchers Muks Hirani, Sarah Jones and Ben Read.

Instead of using spear-phishing attacks to gain credentials, the hackers modified DNS records of victim organisations to redirect traffic to their own infrastructure.

The attacks used three different methods to carry out the DNS hijacking attacks. The first involved the attacker logging into the DNS provider’s administration panel, using previously compromised credentials. The DNS A record is changed to intercept traffic.

The second form of attack uses a similar method to log into the admin panel, but this time the victim’s domain registrar account is accessed, and DNS NS records changed.

The third method sees hackers using a DNS redirector. This is an attacker operations box which responds to DNS requests. This box redirects victim traffic to attacker-maintained infrastructure.

In all cases, hackers use a Let’s Encrypt Certificate to fool users into thinking the connection is trustworthy.

Researchers said it was difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets.

"While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account," said researchers.

Researchers said that this type of attack is difficult to defend against, "because valuable information can be stolen, even if an attacker is never able to get direct access to your organisation’s network".

The firm recommended that organisations implement multi-factor authentication on domain’s administration portals, validate changes for DNS A and NS records and search for and revoke any malicious certificates related to their domain.

Marco Hogewoning, senior external relations officer at the RIPE NCC, told SC Media UK that the attack appears to combine many common vulnerabilities and the point of entry is quite simply poor password security.

"Using standard password security measures such as not repeating passwords will go a long way. The next point they exploit is people not actively monitoring their networks – using tools like RIPE Atlas could help monitor and raise red flags when things change unexpectedly. And finally, a lot of DNS attacks also rely on rerouting traffic. This is where routing security measures like Resource Public Key Infrastructure (RPKI) could go a long way in staving off such attacks," he said.

Chris Doman, security researcher at AlienVault, told SC that this is continuing activity that was earlier reported on by Cisco in November.

"The main intention behind these attacks seems to be able to bypass the encryption on traffic to certain websites, by issuing attacker-controlled security certificates," he said.

"It's interesting that attackers in Iran are pointed to as a possible source of these attacks. Attackers in Iran were linked to somewhat similar attacks back in 2011 that involved compromising a certificate authority to issue their own certificates," he said. "US-CERT have provided some advice on how to respond to these attacks, with the primary recommendation being to ensure you have two-factor authentication enabled on your domain name setting panels."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike