Potential cyber-security attack on DNS infrastructure: U.S. Warning

Published by swasialam@gmail.com on

Potential cyber-security attack on DNS infrastructure: U.S. Warning

The U.S. government is warning of a potentially disastrous cyber-security attack targeting DNS infrastructure.


Department of Homeland Security (DHS) has not publicly disclosed which agencies have been impacted by the DNS hijacking campaign. Several cyber-security firms including FireEye and Cisco Talos have been warning about the risks of a global DNS hijacking campaign. On Jan. 9, FireEye stated in a report that the campaign might have the backing of organizations in Iran.

According to FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success. We have been tracking this activity for several months, mapping and understanding the innovative tactics, techniques and procedures (TTPs) deployed by the attacker. We have also worked closely with victims, security organizations, and law enforcement agencies where possible to reduce the impact of the attacks and/or prevent further compromises.

Initial Research Suggests Iranian Sponsorship

Attribution analysis for this activity is ongoing. While the DNS record manipulations described in this post are noteworthy and sophisticated, they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers.

  • Multiple clusters of this activity have been active from January 2017 to January 2019.
  • There are multiple, nonoverlapping clusters of actor-controlled domains and IPs used in this activity.
  • A wide range of providers were chosen for encryption certificates and VPS hosts.

Preliminary technical evidence allows us to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests.

Subscribes to Inspect InfoSec News for regular Alerts.

Categories: News
Tags:

Related Posts

News

Critical Flaws in Remote Desktop Protocol

Multiple Flaws in Remote Desktop Protocol allows to attack RDP clients A research firm Check Point, has disclosed multiple flaws in the Remote Desktop Protocol. These vulnerabilities could allow compromised or infected machines to attack Read more…

News

Elevated privilege flaw in its Microsoft Exchange Server

Elevated privilege flaw in its Microsoft Exchange Server Elevated privilege flaw in Microsoft Exchange server would allow a remote attacker to impersonate an administrator. According to Microsoft security advisory number ADV190007, An elevation of privilege Read more…

News

Critical Bug in the Apple MacOS KeyChain

Critical Bug in the Apple MacOS KeyChain A new Apple zero-day vulnerability for MacOS allow an attacker to extract passwords from a targeted Mac’s Keychain password management system.  According to a security researcher Linus Henze, Read more…