Friday, January 24, 2025
HomeComputer SecurityHackers Launching DNS Hijacking Attack to Gain Access to Telecommunication & ISP...

Hackers Launching DNS Hijacking Attack to Gain Access to Telecommunication & ISP Networks

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new malicious campaign called “Sea Turtle,” attack public and private entities in various countries using DNS hijacking as a mechanism.

State sponsored threat actors compromise at least 40 different organizations across 13 different countries during this malicious campaign in the first quarter of 2019.

Attackers carried out highly persistent tactics and advanced tools to gain access to sensitive networks and systems.

DNS hijacking is a type of malicious attack that used to redirect the users to the malicious website by modify DNS name records when they visit the website via compromised routers or attackers modifying a server’s settings.

Threat actors targeting two different groups of vicims, primary victims are national security organizations, ministries of foreign affairs, and prominent energy organizations and the second group of victims are numerous DNS registrars, telecommunication companies, and internet service providers.

Initially they targeting the 3rd party that provide services to the primary targets to perform DNS hijacking.

Researchers alerts that the current DNS hijacking campaign is more severe and sophisticated than the previous attacks.

How Does This DNS Hijacking Attack Performed

In the first way, threat actors manipulating and falsifying DNS records by obtaining the organization’s network administrator credentials to modify the DNS records.

A second way to access DNS records via DNS registrar who sells domain names to the public and manages DNS records and the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP).

In this case, attackers obtain one of these EPP keys to modify any of the DNS records that managed by the Registrar.

Actors behind Sea Turtle ultimately intended to steal credentials to gain access to networks and systems by performing the following way,

  1. Established a means to control the DNS records of the target.
  2. Modified DNS records to point legitimate users of the target to actor-controlled servers.
  3. Captured legitimate user credentials when users interacted with these actor-controlled servers.
DNS Hijacking Attack

Threat actors behind the Sea Turtle campaign either exploiting the known vulnerability or sprear-phising emails to compromise the victims in the initial stage.

Once the successfully gain the network access, attacker would modify the NS records for the targeted organization and the pointing users to a malicious DNS server.

This access gives lets attacker to redirect the users who queried for that particular domain around the world to the macious domain.

According to Talos Research, Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified “A” record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second.

Later attacker build a MitM servers that impersonated legitimate services to capture user credentials and gives a lot more sensitive access to the targeted organization.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Miner Malware Uses Multiple Propagation Methods to Infect Windows Machines and to Drop Monero Miner

Two Hackers of Bayrob Malware Gang Convicted for Infecting more than 400,000 Computers Worldwide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...