Sea Turtle Keeps on Swimming, Finds New Victims

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html
After several months of activity, the actors behind the "Sea Turtle" DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.

Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.
Click to expand...
This new technique once again involved modifying the target domain's name server records to point legitimate users to the actor-controlled server. In this case, the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours. In both observed cases, one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials. One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address.
Click to expand...
image1.png

Since our initial report, Sea Turtle has continued to compromise a number of different entities to fulfill their requirements. We have identified some of the new primary targets as:
  • Government organizations
  • Energy companies
  • Think tanks
  • International non-governmental organizations
  • At least one airport
In terms of secondary targets, we have seen very similar targets as those previously reported, such as telecommunications providers, internet service providers and one registry.
Click to expand...
 
  • +Reputation
  • Like
  • HaHa
Reactions: Gandalf_The_Grey, Andy Ful, Venustus and 2 others
You must log in or register to reply here.

Similar threads

CyberTech
    • Like
    • +Reputation
Malware News New ‘Turtle’ macOS Ransomware Analyzed
Replies
3
Views
1,489
Security News
Origami_Alpha
Origami_Alpha
silversurfer
    • +Reputation
    • Like
Security News Cybercriminals Using Novel DNS Hijacking Technique for Investment Scams
Replies
0
Views
1,124
Security News
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records
Replies
0
Views
1,201
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top