DNSpionage and DNS data hijacking
Date : January 08, 2019
On 22-Jan-2019, the CISA (see our note below) has released an « Emergency Directive », which asks all the US governmental agencies (“.gov” and associated domains) to take the following actions to keep their DNS servers safe:
- Audit DNS records integrity,
- Change passwords for all DNS related accounts,
- Add Multi-Factor Authentication on all DNS related accounts,
- Monitor the digital certificates related to DNS domains through the « Certificate Transparency » initiative.
Note: The CISA (Cybersecurity and Infrastructure Security Agency) is a US governmental agency, on top of the NCICC (National Cybersecurity and Communications Integration Center), which was created on November 2018 to replace the NPPD (National Protection and Programs Directorate). The NCICC includes several other well-known organizations, such as US-CERT and ICS-CERT.
This emergency directive is a response to a set of incidents recently disclosed by several sources (see the list at the end of this article) in November 2018 and January 2019, first with the name DNSpionage (or Cold River), and later with alerts entitled such as « DNS Hijacking Campaign ».
There are two components in these attacks:
- The DNSpionage malware is the component installed on victims’ computers. It is a rather classical RAT, but it has the capability to tunnel C&C communications into DNS traffic. The document [4], by Cisco TALOS, gives a good overview on this malware.
- The hijacking of network traffic, thank to DNS data corruption. This part is well described in the FireEye document [1].
This second component is the one that interests us for this article, and which led to the CISA injunction. From a technical perspective, the attack is quite simple: the attackers managed to alter DNS records for domain names like “mail.victim.com”, and this resulted in the victims being silently redirected from their corporate webmails to a web site under the control of the attacker. These DNS alterations were (probably) done:
- Either by stealing a DNS server administrator account. This allows the attacker to change DNS Type A records.
- Or by stealing a WhoIs domain administrator account. This allows the attacker to change Name Server (NS) records.
This kind of attack is not new. For example in 2013, the SEA (Syrian Electronic Army) attacker group used similar techniques to hijack websites such as the New York Times, Twitter and the Huffington Post (see this article). But the DNSpionage attack has been significative and very well prepared. According to Crowdstrike (see document [3]), the DNS corruption attack began at least in February 2017, and has affected 28 organizations in 12 countries. Most of these organizations were in Middle-East and Mediterranean neighborhood (Lebanon, Egypt, etc.), but Sweden and USA were also punctual targets. These attacks against US explain the CISA reaction.
Most of the analysis speculate than Iran could be behind these attacks. The CERT-IST/ATK-2019.012 - Cold River datasheet describes these attacks and the associated IOCs.
DNS servers (and the WhoIs server on top of them) are indeed critical resources. And these US alerts remind us of the importance of protecting them carefully. These good practices are of course recommended for any organization.
For more information:
Description of the DNS attacks:
[1] 02-Jan-2019 : FireEye - Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
[2] 24-Jan-2019 : US-CERT – Alert AA19-024A - DNS Infrastructure Hijacking Campaign
https://www.us-cert.gov/ncas/alerts/AA19-024A
[3] 25-Jan-2019 : CrowdStrike - Widespread DNS Hijacking Activity Targets Multiple Sectors
https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/
Description of DNSpionage RAT:
[4] 27-Nov-2018 : Cisco TALOS - DNSpionage Campaign Targets Middle East
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
[5] 10-Jan-2019 : CERT-OPMD – [DNSPIONAGE] – Focus on internal actions
https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/
[6] 11-Jan-2019 : LastLine - Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable
https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/