Insane in the domain: Sea Turtle hackers pwn DNS orgs to dash web surfers on the rocks of phishing pages

www.theregister.co.uk | 4/17/2019 | Staff
DebraS (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2016/11/07/shutterstock_turtles.jpg

Internet domain registrars and at least one registry were hijacked to change certain websites' DNS settings so that visitors to said sites were in fact directed to password-stealing phishing pages, researchers detailed on Wednesday.

It is believed this is the first time state-backed miscreants have compromised web domain organizations, including those handling country-code level top-level domains, in order to phish specific targets.

Registry - Registrar - Hackers - DNS - Records

Essentially, once inside a registry or registrar, the hackers would change the DNS records for a particular website or server, so that when people tried to visit that system, their browsers or software would be told to connect to machines masquerading as the legit service. At that point, the malicious clones could collect usernames, passwords, and other sensitive information submitted by hoodwinked users, and log into the real services as them.

In their report out this week, eggheads at Cisco Talos outlined how the crew of miscreants, known as Sea Turtle group, manipulated DNS entries to harvest user credentials from 40 specifically targeted companies and government organizations across 13 countries in the Middle East and North Africa. Those credentials were then used to infiltrate said businesses and organizations.

Computer - Systems - Registry - Registrar - Employees

Computer systems within a registry and registrar were infected by tricking employees into opening spear-phishing emails laden with malware from sometime around January 2017, and continuing through the first quarter of 2019. Typically, registries manage top-level domains, such as .com or .org, and the public buy and sell domains using these TLDs via registrars.

The cyber-attacks on these domain management organizations were so serious that the US Department of Homeland Security issued an alert warning internet users in January to lock down their DNS records to avoid similar hijackings.

Talos - Vulnerabilities - Miscreants - Domain - Organizations

Talos noted that multiple vulnerabilities were exploited by the miscreants to break into the domain organizations. One of those was CVE-2017-3881, a remote code execution hole in...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!