DNS/hijacking/事例/SeaTurtleについて、ここに記述してください。
Contents
- Assessed Sea Turtle DNS hijacking methodology
It is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle:
- Established a means to control the DNS records of the target.
- Modified DNS records to point legitimate users of the target to actor-controlled servers.
- Captured legitimate user credentials when users interacted with these actor-controlled servers.
The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals.
https://blog.talosintelligence.com/2019/04/seaturtle.html
Wednesday, April 17, 2019 DNS Hijacking Abuses Trust In Core Internet Service
DNS ハイジャックにより感染を広げる「Sea Turtle」 2019年7月25日
新しい手口では、標的のドメイン ネームサーバ レコードを修正することで、正当なユーザを攻撃者が管理するサーバに誘導します。この場合、攻撃者が管理するネームサーバとハイジャックされたホスト名の両方が、短期間(通常 24 時間未満)のみ同じ IP アドレスに解決されます。確認された 2 件のいずれのケースでも、ハイジャックされたホスト名のひとつが電子メール サービスを参照し、攻撃者によるユーザ クレデンシャルの取得を許していると考えられます。ただしこの手口では、攻撃者が管理するネームサーバが複数の標的で使用されないため、追跡が非常に困難です。つまり、この手口で乗っ取られたすべての組織には、専用のネームサーバ ホスト名と独自の専用 IP アドレスがある状態になります。対照的に、これまでに報告された ns1[.]intersecdns[.]com などは複数の組織を標的にしています。
あるケースの民間組織では、権威あるネーム サーバとして主にサード パーティのサービスを使用していました。その後の 2018 年 1 月には、たった 3 時間で、組織のネーム サーバ レコードが、組織名が少しだけ異なるネーム サーバ ホスト名に変更されました。この 3 時間で、攻撃者が管理する IP アドレスは、3 つのホスト名(攻撃者が管理するネームサーバ 2 件、Web メールのホスト名 1 件)をホストしていました。前の投稿でも説明したように、これで攻撃者は中間者 (MitM) を実行し、クレデンシャルを収集できるようになります。同じ手口は、中東および北アフリカの政府機関に対しても観察されました。
1. Preface
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.
2. Executive Summary
Cisco Talos has discovered a new cyber threat campaign that we are calling "Sea Turtle," which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.
The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names.
In the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities.
We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage, which we reported on in November 2018. The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach, we encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology.
The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first publicly confirmed case against an organizations that manages a root server zone, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed.
This post provides the technical findings you would typically see in a Talos blog. We will also offer some commentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology and thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident there are more that we have not seen.
Background on Domain Name Services and records management The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space. This section provides a brief overview of where DNS records are managed and how they are accessed to help readers better understand how these events unfolded.
The first and most direct way to access an organization's DNS records is through the registrar with the registrant's credentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization's network administrator credentials, the attacker would be able to change that particular organization's DNS records at will.
The second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A registrar sells domain names to the public and manages DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the request for comment (RFC) 5730 as "a means of interaction between a registrar's applications and registry applications." If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records that were managed by that particular registrar.
The third approach to gain access to DNS records is through one of the registries. These registries manage any known TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs). For example, Verisign manages all entities associated with the top-level domain (TLD) ".com." All the different registry information then converges into one of 12 different organization that manage different parts of the domain registry root. The domain registry root is stored on 13 "named authorities in the delegation data for the root zone," according to ICANN.
Finally, actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a joint statement that stated, "There are no signs of lost integrity or compromise of the content of the root [server] zone…There are no signs of clients having received unexpected responses from root servers."