Among the numerous cyber attacks that are discovered every day, reported (but never publicly admitted), often carried out to the detriment of large private or public companies, one in particular has attracted attention due to the methodologies used for its development: the so-called "Sea Turtle ”, discovered by the IT security team“ Talos Intelligence ”of the American multinational Cisco, one of the most important in its sector.
Talos talks about it Sea Turtle as the first ever documented attack that compromised DNS systems.
The attack targeted national security organizations, large energy companies and ministries of foreign affairs located in North Africa and the Middle East but to succeed, other secondary targets were targeted, such as telcos and ISPs.
According to the Talos report, over 40 organizations in 13 countries were compromised between January 2017 and the first half of 2019 but the true extent of the damage is still to be estimated as the attack is not yet concluded ...
What makes this campaign of attack on DNS systems so scary in the eyes of Cisco experts?
To answer this question we must first define DNS.
DNS is the acronym for Domain Name System, the system that is used to resolve hostnames into IP addresses, that is, it associates an IP (Internet Protocol) address with a name that is easy for the user to remember. This is one of the most important DNS features that we can see every day.
The methodology of the attack consists in tampering with the DNS services of the target to then redirect a user to a server controlled by the attacker, this leads following the acquisition of credentials and passwords of the users that are used to gain access to other information.
All this was possible thanks to attack techniques that involve the use of both spear phishing that the use of exploit of various applications.
Sea Turtle he acted long and discreetly. The perpetrators of this attack, Talos says, used a unique approach in that DNS services are not constantly monitored.
As Talos tells us, there are three possible ways in which attackers could access the DNS services of the organizations affected:
1. By accessing the DNS registrar (company that provides domain names to companies and manages DNS records through the registry, ie a database containing all the domain names and the companies with which they are associated), through the acquisition of access credentials belonging to the DNS registrant (the organization affected);
2. Through the same registrar, entering the previously mentioned registry and tampering with the DNS records using theExtensible Provisioning Protocol (EPP), the protocol used to access the registry. By obtaining the EPP keys, the attacker could have tampered with the DNS records of the targeted registrar at will;
3. The third method is based ondirect attack on DNS registries to access DNS records, the registries they are a vital part of the DNS service, as each Top Level Domain is based on them.
Sea Turtle has acted long and discreetly, who led this attack, says Talos, has used a unique approach as DNS services are not constantly monitored.
Talos wrote this report in April of this year, but this did not stop or slow the group's activity, so much so that in July Talos published an update.
Indeed, it seems that in the last few months another attack technique has been used. Each attacked entity pointed its DNS requests to a tampered server, different for each compromised user which makes the attack even more difficult to foil and track.
We can therefore say that anyone is behind Sea Turtle it is a group without scruples, probably driven by national interests and endowed with remarkable infrastructures.
The importance of DNS services is great. The entire structure of the Internet is based on their proper functioning, and together with it, the totality of the world economy and services provided by every society and government.
For this reason Talos says he is strongly opposed to the methodologies with which the campaign Sea Turtle (and the organization or state behind it) is putting this series of attacks into practice.
This campaign could represent the beginning of a series of attacks aimed at tampering with the DNS system in a more extensive and potentially disastrous way, leading to consequences that could affect each of us.
To learn more:
https://blog.talosintelligence.com/2019/04/seaturtle.html
https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming....
https://www.cisco.com
https://www.kaspersky.it/resource-center/definitions/spear-phishing
