Sea Turtle DNS Hijacking Campaign

Cisco Talos researchers published an analysis of a DNS Hijacking campaign, named “Sea Turtle”, targeting national security organizations in the Middle East and North Africa.

In this campaign, the threat actors compromised a network primarily through exploiting known vulnerabilities in phpMyAdmin, Drupal, Apache, and more. After obtaining access to the network the attackers would move laterally in the network and harvest credentials.

Once the appropriate credentials were obtained, they would login into the DNS registry and update the settings to point any DNS requests destined for the target domain to an attacker controlled name server instead. The attacker’s infrastructure was made up of man-in-the-middle servers impersonating legitimate services.

Users would be directed to these spoofed web pages that harvest any entered credentials and then redirect the user to the legitimate service in order to avoid detection. Additionally, attackers stole SSL certificates from the compromised network in order to compromise additional credentials. The researchers note that these threat actors are highly capable and sophisticated, and their targeting of DNS registries and registrars shows an aggressive approach.

Further details, read the full report here.

Indicators of Compromise

Note : The threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor.

IP address Month Year November 2018 November 2018 January 2018 November 2018 November 2018 November 2018 October 2018 December – January 2018-2019 March 2018 December – January 2018-2019 December 2018 January – February 2017 December 2018 February 2019 September 2018 September 2018 September 2018 October 2018 May 2018 November 2018 September 2018 September 2018 July – December 2018 March – April 2019 March – April 2019 March 2019
Domain Active Timeframe IP address
ns1[.]intersecdns[.]com March – April 2019
ns2[.]intersecdns[.]com March – April 2019
ns1[.]lcjcomputing[.]com January 2019
ns2[.]lcjcomputing[.]com January 2019

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: