Jump to content

Cybercriminals attack companies through their DNS providers

Recommended Posts

Cybercrime group Sea Turtle attacked the organization ICS-Forth, which controls the Greek top-level domains .gr and .el.

Cisco Talos was first talked about Sea Turtle grouping in April this year. The attackers use a very unusual technique of hacking - instead of attacking the victim directly, they gain access to domain registrar accounts and managed DNS providers and change the company's DNS settings.

By modifying the DNS records of internal servers, attackers redirect traffic destined for legitimate applications and the company's mail servers to the servers they control, carry out a man-in-the-middle attack and intercept the credentials.

The above attacks are short-lived (lasting from several hours to several days) and invisible (most companies do not check the DNS settings for changes). According to FireEye, the group acts in the interests of the Iranian government.

In order to get to the victim, Sea Turtle does not stop hacking into the provider's network entirely. As reportedin the first Cisco Talos report, the group hacked into the Swedish organization NetNod, which manages the traffic exchange point. The attack allowed attackers to manipulate the DNS records for sa1 [.] Dnsnode [.] Net and gain access to the credentials of the top-level domain administrator of Saudi Arabia (.sa)

In a new report, Cisco Talos reports a similar attack on the Greek organization ICS-Forth. At the moment, researchers find it difficult to say what the attackers did in the ICS-Forth networks after hacking. It is also unknown for which domains the attackers changed the DNS settings. After the organization notified the public about the hacking, Sea Turtle remained in its networks for another five days.

Source: https://www.securitylab.ru/news/499907.php

  • Upvote 1

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...