Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
Introduction
FireEye’s Mandiant Incident Response and Intelligence teams have
identified a wave of DNS hijacking that has affected dozens of domains
belonging to government, telecommunications and internet
infrastructure entities across the Middle East and North Africa,
Europe and North America. While we do not currently link this activity
to any tracked group, initial research suggests the actor or actors
responsible have a nexus to Iran. This campaign has targeted victims
across the globe on an almost unprecedented scale, with a high degree
of success. We have been tracking this activity for several months,
mapping and understanding the innovative tactics, techniques and
procedures (TTPs) deployed by the attacker. We have also worked
closely with victims, security organizations, and law enforcement
agencies where possible to reduce the impact of the attacks and/or
prevent further compromises.
While this campaign employs some traditional tactics, it is
differentiated from other Iranian activity we have seen by leveraging
DNS hijacking at scale. The attacker uses this technique for their
initial foothold, which can then be exploited in a variety of ways. In
this blog post, we detail the three different ways we have seen DNS
records be manipulated to enable victim compromises.
Initial Research Suggests Iranian Sponsorship
Attribution analysis for this activity is ongoing. While the DNS
record manipulations described in this post are noteworthy and
sophisticated, they may not be exclusive to a single threat actor as
the activity spans disparate timeframes, infrastructure, and service providers.
- Multiple clusters of this
activity have been active from January 2017 to January 2019.
- There are multiple, nonoverlapping clusters of actor-controlled
domains and IPs used in this activity. - A wide range of
providers were chosen for encryption certificates and VPS
hosts.
Preliminary technical evidence allows us to assess with moderate
confidence that this activity is conducted by persons based in Iran
and that the activity aligns with Iranian government interests.
- FireEye Intelligence
identified access from Iranian IPs to machines used to intercept,
record and forward network traffic. While geolocation of an IP
address is a weak indicator, these IP addresses were previously
observed during the response to an intrusion attributed to Iranian
cyber espionage actors. - The entities targeted by this group
include Middle Eastern governments whose confidential information
would be of interest to the Iranian government and have relatively
little financial value.
Details
The following examples use victim[.]com to stand in for the victim
domain, and private IP addresses to stand in for the actor
controlled IP addresses.
Technique 1 – DNS A Records
The first method exploited by the attacker is altering DNS A
Records, as seen in Figure 1.
Figure 1: DNS A Record
- The attacker logs into
PXY1, a Proxy box used to conduct
non-attributed browsing and as a jumpbox to other
infrastructure. - The attacker logs into the DNS provider’s
administration panel, utilising previously compromised
credentials. - The A record (e.g. class="code">mail[.]victim[.]com) is currently pointing to
192.168.100.100. - The attacker
changes the A record and points it to 10.20.30.40
(OP1). - The attacker logs in from class="code">PXY1 to OP1.
- A
proxy is implemented to listen on all open ports, mirroring
mail[.]victim[.]com. - A load
balancer points to 192.168.100.100
[mail[.]victim[.]com] to pass through user traffic.
- certbot is used to create a Let’s Encrypt
Certificate for mail[.]victim[.]com
- We have observed multiple Domain Control Validation
providers being utilised as part of this campaign.
- A user now visits class="code">mail[.]victim[.]com and is directed to OP1.
The Let’s Encrypt Certificate allows the browsers to establish a
connection without any certificate errors as class="code">Let's Encrypt Authority X3 is trusted. The
connection is forwarded to the load balancer which establishes the
connection with the real class="code">mail[.]victim[.]com. The user is not aware of
any changes and may only notice a slight delay. - The
username, password and domain credentials are harvested and
stored.
Technique 2 – DNS NS Records
The second method exploited by the attacker involved altering DNS NS
Records, as seen in Figure 2.
Figure 2: DNS NS Record
- The attacker again logs
into PXY1. - This time, however,
the attacker exploits a previously compromised registrar or
ccTLD. - The nameserver record class="code">ns1[.]victim[.]com is currently set to class="code">192.168.100.200. The attacker changes the NS
record and points it to ns1[.]baddomain[.]com
[10.1.2.3]. That nameserver will respond with the IP class="code">10.20.30.40 (OP1) when class="code">mail[.]victim[.]com is requested, but with the
original IP 192.168.100.100 if it is
www[.]victim[.]com. - The attacker logs in from class="code">PXY1 to OP1.
- A
proxy is implemented to listen on all open ports, mirroring
mail[.]victim[.]com. - A load
balancer points to 192.168.100.100
[mail[.]victim[.]com] to pass through user traffic.
- certbot is used to create a Let’s Encrypt
Certificate for mail[.]victim[.]com.
- We have observed multiple Domain Control Validation
providers being utilised during this campaign.
- A user visits mail[.]victim[.]com and
is directed to OP1. The Let’s Encrypt
Certificate allows browsers to establish a connection without any
certificate errors as Let's Encrypt Authority
X3 is trusted. The connection is forwarded to the load
balancer which establishes the connection with the real class="code">mail[.]victim[.]com. The user is not aware of
any changes and may only notice a slight delay. - The
username, password and domain credentials are harvested and
stored.
Technique 3 – DNS Redirector
The attacker has also been observed using a third technique in
conjunction with either Figure 1 or Figure 2 above. This involves a
DNS Redirector, as seen in Figure 3.
Figure 3: DNS Operational box
The DNS Redirector is an attacker operations box which responds to
DNS requests.
- A DNS request for class="code">mail[.]victim[.]com is sent to class="code">OP2 (based on previously altered A Record or NS
Record). - If the domain is part of victim[.]com zone, class="code">OP2 responds with an attacker-controlled IP
address, and the user is re-directed to the attacker-controlled
infrastructure. - If the domain is not part of the victim.com
zone (e.g. google[.]com), OP2 makes a DNS
request to a legitimate DNS to get the IP address and the legitimate
IP address is returned to the user.
Targets
A large number of organizations have been affected by this pattern
of DNS record manipulation and fraudulent SSL certificates. They
include telecoms and ISP providers, internet infrastructure providers,
government and sensitive commercial entities.
Root Cause Still Under Investigation
It is difficult to identify a single intrusion vector for each
record change, and it is possible that the actor, or actors are using
multiple techniques to gain an initial foothold into each of the
targets described above. FireEye intelligence customers have received
previous reports describing sophisticated phishing attacks used by one
actor that also conducts DNS record manipulation. Additionally, while
the precise mechanism by which the DNS records were changed is
unknown, we believe that at least some records were changed by
compromising a victim’s domain registrar account.
Prevention Tactics
This type of attack is difficult to defend against, because valuable
information can be stolen, even if an attacker is never able to get
direct access to your organization’s network. Some steps to harden
your organization include:
- Implement multi-factor
authentication on your domain’s administration portal.
- Validate A and NS record changes.
- Search for SSL
certificates related to your domain and revoke any malicious
certificates. - Validate the source IPs in OWA/Exchange
logs. - Conduct an internal investigation to assess if
attackers gained access to your environment.
Conclusion
This DNS hijacking, and the scale at which it has been exploited,
showcases the continuing evolution in tactics from Iran-based actors.
This is an overview of one set of TTPs that we recently observed
affecting multiple entities. We are highlighting it now so that
potential targets can take appropriate defensive action.
Source: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale (http://)