Security experts at Cisco Talos have released a report detailing what it calls the \u201cfirst known case of a domain name registry organization that was compromised for cyber espionage operations.\u201d\nTalos calls ongoing cyber threat campaign \u201cSea Turtle\u201d and said that state-sponsored attackers are abusing DNS to harvest credentials to gain access to sensitive networks and systems in a way that victims are unable to detect, which displays unique knowledge on how to manipulate DNS, Talos stated.\n\nBy obtaining control of victims\u2019 DNS, the attackers can change or falsify any data on the Internet, illicitly modify DNS name records to point users to actor-controlled servers; users visiting those sites would never know, Talos reported.\u00a0\nDNS, routinely known as the Internet\u2019s phonebook, is part of the global internet infrastructure that translates between familiar names and the numbers computers need to access a website or send an email.\nThreat to DNS could spread\nAt this point Talos says Sea Turtle isn't compromising organizations in the U.S.\n\u201cWhile this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,\u201d Talos stated.\u00a0\u00a0\nTalos reports that the ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. \u201cOur investigation revealed that approximately 40 different organizations across 13 different countries were compromised during this campaign,\u201d Talos stated.\u00a0 \u201cWe assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.\u201d\nTalos says the attackers directing the Sea Turtle campaign show signs of being highly sophisticated and have continued their attacks despite public reports of their activities. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed suggesting the Sea Turtle actors are unusually brazen and may be difficult to deter going forward, Talos stated.\nIn January the Department of Homeland Security (DHS) issued an alert about this activity, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization\u2019s domain names.\nAt that time the DHS\u2019s\u00a0 Cybersecurity and Infrastructure Security Agency said in its Emergency Directive that it was tracking a series of incidents targeting DNS infrastructure. CISA wrote that it \u201cis aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.\u201d\nDNS hijacking\nCISA said that attackers have managed to intercept and redirect web and mail traffic and could target other networked services. The agency said the attacks start with compromising user credentials of an account that can make changes to DNS records.\u00a0 Then the attacker alters DNS records, like Address, Mail Exchanger, or Name Server records, replacing the legitimate address of the services with an address the attacker controls.\nTo achieve their nefarious goals, Talos stated the Sea Turtle accomplices:\n\nUse DNS hijacking through the use of actor-controlled name servers.\nAre aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage country-code top-level domains (ccTLD).\n\n\nUse Let\u2019s Encrypts, Comodo, Sectigo, and self-signed certificates in their man-in-the-middle (MitM) servers to gain the initial round of credentials.\n\n\nSteal victim organization\u2019s legitimate SSL certificate and use it on actor-controlled servers.\n\nSuch actions also distinguish Sea Turtle from an earlier DNS exploit known as DNSpionage, which Talos \u200breported\u200b on in November 2018.\nTalos noted \u201cwith high confidence\u201d that these operations are distinctly different and independent from the operations performed by DNSpionage.\u00a0\nIn that report, Talos said a DNSpionage campaign utilized two fake, malicious websites containing job postings that were used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware supported HTTP and DNS communication with the attackers.\nIn a separate DNSpionage campaign, the attackers used the same IP address to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for Transport Layer Security (TLS) free of charge to the user, Talos said.\nThe Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos said it believes the attackers have exploited multiple known common vulnerabilities and exposures (CVEs) to either gain initial access or to move laterally within an affected organization. Talos research further shows the following known exploits of Sea Turtle include:\n\nCVE-2009-1151\u200b: PHP code injection vulnerability affecting phpMyAdmin\nCVE-2014-6271\u200b: RCE affecting GNU bash system, specifically the SMTP (this was part of the \u200bShellshock\u200b CVEs)\nCVE-2017-3881\u200b: RCE by unauthenticated user with elevated privileges Cisco switches\nCVE-2017-6736\u200b: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\nCVE-2017-12617\u200b: RCE affecting Apache web servers running Tomcat\nCVE-2018-0296\u200b: \u200bDirectory\u200b traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls\nCVE-2018-7600\u200b: RCE for Website built with Drupal, aka \u201cDrupalgeddon\u201d\n\n\u201cAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete,\u201d Talos stated. \u201cThe actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities.\u201d\nTalos says that\u00a0 the Sea Turtle campaign continues to be highly successful for several reasons. \u201cFirst, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests,\u201d Talos stated.\u00a0 \u201cThe threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains.\u201d\nTalos said the attackers also used previously undisclosed techniques such as certificate impersonation. \u201cThis technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations\u2019 SSL certificates associated with security appliances such as [Cisco's Adaptive Security Appliance] to obtain VPN credentials, allowing the actors to gain access to the targeted network, and have long-term persistent\u00a0 access, Talos stated.\u00a0\nCisco Talos DNS attack mitigation strategy\nTo protect against Sea Turtle, Cisco recommends:\n\nUse a registry lock service, which will require an out-of-band message before any changes can occur to an organization's DNS record.\nIf your registrar does not offer a registry-lock service, Talos recommends implementing multi-factor authentication, such as \u200bDUO\u200b, to access your organization's DNS records.\nIf you suspect you were targeted by this type of intrusion, Talos recommends instituting a network-wide password reset, preferably from a computer on a trusted network.\nApply patches, especially on internet-facing machines. Network administrators can monitor passive DNS records on their domains to check for abnormalities.