Security researchers have spotted a new series of DNS hijacking attacks successfully targeting organizations globally on a large scale and traced back to Iran.
The attacks have managed to compromise “dozens” of domains run by government, telecommunications and internet infrastructure in the Middle East and North Africa, Europe and North America. In so doing, they change DNS records to direct users to malicious but legitimate-looking, Let’s Encrypt certified domains where email credentials are harvested.
FireEye observed three attack methods, with activity first spotted in January 2017.
The first uses previously compromised credentials to log-in to a DNS provider’s administration panel with the aim of changing DNS A records.
The second exploits a previously compromised registrar or ccTLD to change DNS nameserver (NS) records. A third technique is used in combination with the previous two, to return legitimate IP addresses for users outside the targeted domains.
FireEye warned that a “large number” of DNS/SSL cert firms had been affected by these attacks, including telcos, ISPs, infrastructure providers and governments.
“It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets described above,” the vendor explained.
“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.”
There was less forthcoming information on the type of organizations and users targeted by the cyber-espionage itself, although FireEye claimed they include “Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value.”
This, along with the fact that the attackers used IP addresses previously associated with Iranian raids, has led the vendor to attribute the campaign to Tehran with “moderate confidence.”