APT Group Uses DNS Hijacking to Steal Credentials

Delaware, USA – January 11, 2019 – FireEye researchers analyzed a surge in incidents related to DNS hijacking and discovered that an unidentified APT group is using a new intrusion technique. This group attacks the government and telecommunications sector in North America, Europe and the Middle East. The researchers believe that the attackers are linked with the Iranian government, but TTPs of the group are significantly different from TTPs of all known Iranian cyberespionage groups. The attacks began at least two years ago, researchers spotted three main techniques used by adversaries in these operations. Adversaries use DNS hijacking to redirect users of companies of their interest through their servers to the necessary resources collecting usernames and passwords. To do this, they modify the company’s legitimate DNS A or NS records, at least in a few cases, the adversaries compromised the domain registrar accounts, and in some cases, they changed records on internal DNS servers.

Techniques used by cybercriminals allow them to intercept HTTPS traffic using fraudulent SSL certificates and gain access to the organization’s employee accounts. DNS hijacking is very difficult to track, and not all organizations use solutions to monitor DNS traffic. You can discover new DNS servers and receive automatic notifications on the DNS packets addressed to non-corporate DNS servers using the DNS Security Check rule pack. Also, you can use SSL Framework to track your digital certificates and their proper implementation: https://my.socprime.com/en/integrations/ssl-framework-arcsight