By Jon Munshaw
Researchers from Cisco Talos brought up the top award at this year’s Virus Bulletin conference.
Talos received the Péter Ször Award — named for the prolific security researcher who was a longtime contributor to Virus Bulletin and passed away in 2013 — for our research into several DNS-related attacks over the past year.
The award “aims to recognize the best piece of technical security research published each year,” according to Virus Bulletin, and was awarded at the annual Virus Bulletin conference last week. It is widely considered the most prestigious award in the field of threat research. Szor was one of the pioneers of malware research, publishing several original findings on threat hunting and spending time working at Symantec, McAfee and Pasteur AntiVirus. Talos researchers Paul Rascagneres and Warren Mercer were in attendance to receive the award, and also presented their research at the conference.
Virus Bulletin specifically honored Talos for the article “DNS hijacking abuses trust in core internet service,” which covered the campaign we called “Sea Turtle.” In the post, we outlined the work of a state-sponsored attacker that manipulated DNS to unknowingly send users to malicious websites.
“This research not only details the specific activities of the Sea Turtle actor, it also highlights the weak spot DNS is in the global internet infrastructure,” Martijn Grooten, the editor of Virus Bulletin, said. “Though the award is given for this specific research, one should also note that these authors are very prolific contributors to the threat intelligence conversation.”
DNS is a major foundation of the internet, and any attacks on it or manipulation of that system have the potential to undermine the trust users have in the internet. Based off this attack, we emphasized that nation-states should avoid targeting DNS as part of any cyber attacks, and called on world governments and the security industry to agree on the standard that DNS and the organizations that control it are off-limits, and to push back against any attackers that target the system.
Sea Turtle targeted public and private entities primarily located in the Middle East and North Africa, even going after national security organizations. Talos believes these attacks could have begun as early as January 2017. At least 40 different organizations across 13 countries were compromised during this campaign.
The actors behind Sea Turtle used DNS hijacking to trick users into visiting malicious websites. In these kinds of campaigns, the attackers illicitly modify DNS name records to point users to an actor-controlled server. The Department of Homeland Security even issued an alert on these kinds of attacks on Jan. 24, warning that an attacker could redirect user traffic and obtain users’ encryption certificates to then re-use inside the user’s organization’s domain names.
This wouldn’t be Talos’ only foray into the world of DNS. In July, we discovered Sea Turtle was still active, utilizing a likely new DNS hijacking technique to go after additional victims. This time, Sea Turtle compromised a country’s code top-level domain (ccTLD) registry, which manages the DNS records for every domain that uses that country’s code. They then used that access to compromise additional government entities.
DNS attacks are not going to go away any time soon, and if actors continue down this path, it could be very dangerous for the internet at large. We appreciate Virus Bulletin highlighting the importance of this research and the hard work of all our researchers who assisted with it.