Sea Turtle DNS Hijacking Campaign

Cisco Talos researchers published an analysis of a DNS Hijacking campaign, named “Sea Turtle”, targeting national security organizations in the Middle East and North Africa.

In this campaign, the threat actors compromised a network primarily through exploiting known vulnerabilities in phpMyAdmin, Drupal, Apache, and more. After obtaining access to the network the attackers would move laterally in the network and harvest credentials.

Once the appropriate credentials were obtained, they would login into the DNS registry and update the settings to point any DNS requests destined for the target domain to an attacker controlled name server instead. The attacker’s infrastructure was made up of man-in-the-middle servers impersonating legitimate services.

Users would be directed to these spoofed web pages that harvest any entered credentials and then redirect the user to the legitimate service in order to avoid detection. Additionally, attackers stole SSL certificates from the compromised network in order to compromise additional credentials. The researchers note that these threat actors are highly capable and sophisticated, and their targeting of DNS registries and registrars shows an aggressive approach.

Further details, read the full report here.

Indicators of Compromise

Note : The threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor.

IP address Month Year
199.247.3.191 November 2018
37.139.11.155 November 2018
185.15.247.140 January 2018
206.221.184.133 November 2018
188.166.119.57 November 2018
185.42.137.89 November 2018
82.196.8.43 October 2018
159.89.101.204 December – January 2018-2019
146.185.145.202 March 2018
178.62.218.244 December – January 2018-2019
139.162.144.139 December 2018
142.54.179.69 January – February 2017
193.37.213.61 December 2018
108.61.123.149 February 2019
212.32.235.160 September 2018
198.211.120.186 September 2018
146.185.143.158 September 2018
146.185.133.141 October 2018
185.203.116.116 May 2018
95.179.150.92 November 2018
174.138.0.113 September 2018
128.199.50.175 September 2018
139.59.134.216 July – December 2018
45.77.137.65 March – April 2019
142.54.164.189 March – April 2019
199.247.17.221 March 2019
Domain Active Timeframe IP address
ns1[.]intersecdns[.]com March – April 2019 95.179.150.101
ns2[.]intersecdns[.]com March – April 2019 95.179.150.101
ns1[.]lcjcomputing[.]com January 2019 95.179.150.101
ns2[.]lcjcomputing[.]com January 2019 95.179.150.101

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/systemte/public_html/wp-includes/functions.php on line 4339