The Cisco Talos recently revealed an attack called “Sea Turtles”. It is reported that from January 2017 to the first quarter of this year, the operation continued to target more than 40 organizations in 13 countries in the Middle East and North Africa to launch DNS attacks. Hence, people believe that this attack is carried out by the state-supported hackers.
“Turtle Operation” uses DNS as the main attack method, and illegally tampers with the DNS name record to direct visitors to the server controlled by the hacker. In this way, hackers can easily harvest website credentials and other sensitive data that visitors are sharing with web forms and the like. The main victims of the operation are the National Security Organization, the Ministry of Foreign Affairs, well-known energy organizations, and third parties providing services to these organizations. The other victims are DNS registrars, telecom operators and ISP service providers. It is worth noting that hackers usually make use of third-party service providers to attack targeted users.
Actually, “Turtle Operation” has widely attracted people’s attention. Netnod, the Net neutrality infrastructure in Sweden was attacked by hackers in January this year. They confessed that Netnod is not hackers’ ultimate target. The hackers only try to gain login certificates to Internet services in other countries via Netnod. Most victims are located in the Middle East, North Africa, Europe and North America. Security vendor FireEye also announced a global DNS stance attack in January, speculating that the hacker originated in Iran.
Cisco Talos believes that the “Turtle Operation” shows the high attack capability and persistence of the hacker. Most attacks stop or slow down once they are publicly exposed, but hackers who launched “Turtle Operation” continue to attack without hindrance. Researchers estimate that the sophisticated “Sea Turtle Operation” uses at least seven security vulnerabilities involving phpMyAdmin, GNU bash systems, Cisco switches, Cisco routers, Cisco security appliances, Apache servers running Tomcat , and Drupal.
In addition, DNS hijacking is only a mean for hackers to achieve their goals. Researchers believe that the hackers’ purchase is to steal credentials that can be accessed to the target system or network. They control targeted users’ DNS records, and then change the DNS records to direct users to hacker’s server so as to swindle user certificates. Hackers will use the user certificates to visit compromised network or system.
Organizations or enterprises are suggested to enable the “registration lockout service” to avoid unclear tampering of DNS records or to set up multiple authentication mechanisms for DNS access. If you suspect that you have been hacked, it is best to completely replace the user password and fix various open security vulnerabilities.
Published by Emerson L. Sullivan & last updated on April 22, 2019 4:53 am