New Malicious Campaign Discovered Attacking Public and Private Entities via DNS Hijacking




A new malicious campaign called "Sea Turtle," as of late discovered by researchers allegedly, is said to have been attacking public and private elements in different nations utilizing DNS hijacking as a mechanism.

Moreover the campaign is known to have compromised no less than 40 different organizations across over 13 different nations amid this vindictive campaign in the first quarter of 2019.

Since DNS hijacking is a sort of malevolent attack that redirects the users to the noxious site by altering the DNS name records when they visit the site by means of compromised routers or attackers affecting a server's settings.

The attackers helped out their work through very industrious strategies and propelled apparatuses in order to gain access to the sensitive systems and frameworks as smoothly as possible.

By focusing on two distinct groups of victims they are focusing on a third party that is known to provide services to the primary targets to effectively play out the DNS seizing. The main aim of the attackers behind "Sea Turtle" is to ultimately aim to steal the credentials so as to access the systems and frameworks in the following manner:
  1.        Via establishing a means to control the DNS records of the target.
  2.        To modifying DNS records in order to point legitimate users of the target to actor-controlled servers.
  3.        To capturing legitimate user credentials when users interacted with these actor-controlled servers.
Researchers said that they "assess” with probably high certainty that these hijacking attacks are being propelled by an advanced, state-sponsored actor hoping to get to the sensitive systems and frameworks.

To ensure against these DNS hijacking attacks, the organizations are currently attempting to execute a registry lock service, multifaceted verification (to access the DNS records), and obviously keeping up to date on the patches, particularly on the internet facing machines.



Altran Technologies, France; Smacked By A Cyber-Attack!




Reportedly, the France based Altran Technologies fell prey to a cyber-attack which attempted to smack down its operations in some of the European nations.



Last Thursday, a cyber-attack took the French engineering consultancy, Altran Technologies by storm.



This led to the organization’s closing down its It network and applications.



The firm instantly started working on a resurgence plan, making sure that it didn’t undergo much damage.



A large scale “Domain Name System” hijacking campaign is already being investigated and is subject to a lot of questioning.



This campaign is said to have wreaked havoc among a lot of government as well as commercial organizations, all across the world, cited the Britain’s National Cyber Security Center.


Attackers Targeting Dlink DSL Modem Routers ; Exploiting Them To Change The DNS Settings




A recent research has found attackers to be resorting to targeting DLink DSL modem routers in Brazil, with a specific end goal to exploit their DNS settings, which at that point enables them to redirect users endeavoring to associate with their online banks to fake banking websites that steal the client's record data.

As per the research by Radware, the exploit being utilized by the hackers enables them to effectively scan for and script the changing of a lot of vulnerable switches so the user's DNS settings point to a DNS server that is under the hacker's control.

Example of Fake Cloned Bank Site (Source: Radware)
Certificate Warning on Fake Site

At the point when the user attempts to connect to a website on the internet, they first question a DNS server to determine a hostname like www.google.com to an IP address like 172.217.11.36.
Their PC at that point associates with this IP address and starts the coveted connection. In this way by changing the name servers utilized on the router, users are diverted to fake and malignant sites without their insight and made to believe that these sites are indeed legitimate and dependable.
The pernicious URL takes the following form:

/dnscfg.cgi?dnsPrimary=&dnsSecondary=&dnsDynamic=0&dnsRefresh=1

at the point when the exploit permits unauthenticated remote configuration of DNS server settings on the modem router.

Radware’s research stated that – “The uniqueness about this approach is that the hijacking is performed without any interaction from the user, phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015 and 2016. In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool."

The researcher's state that the attack is deceptive as the user is totally unaware of the change, the hijacking works without creating or changing URLs in the user's browser.

A user can utilize any browser and his/her consistent regular routes, the user can type in the URL physically or even utilize it from cell phones, for example, a smart phone or tablet, and he/she will in any case be sent to the vindictive site rather than to their requested for site since the capturing viably works at the gateway level.

Radware along these lines , recommends users to utilize the http://www.whatsmydnsserver.com/ website to check their router's configured DNS servers, with the goal that they can alone decide whether there are servers that look suspicious as they won't be relegated by their internet service provider.


Multilingual Malware Targets Android Devices for Phishing Attacks


A blog post titled 'Roaming Mantis uses DNS hijacking to infect Android smartphones' was published in April 2018, by the Kaspersky Lab, which spoke particularly about this Malware.

The malware i.e. Roaming Mantis utilizes Android malware which is intended to spread by means of DNS hijacking and targets Android gadgets specifically. This activity is said to be found for the most parts in Asia (South Korea, Bangladesh and Japan) in view of the telemetry data by the Kaspersky Lab.

Potential victims were supposedly redirected by DNS hijacking to a pernicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed by the users manually. The application in reality contained an Android Trojan-Banker.

Not long after their publication it was drawn out into the open that various other researchers were also additionally concentrated on this malware family. In May though, while the Roaming Mantis also known as MoqHao and XLoader, was being monitored, the scientists at the Kaspersky Lab observed some very significant changes in their M.O.

“The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition to that, the criminals also added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

According to Kaspersky Lab's researcher Suguru Ishimaru, the last crusade including Roaming Mantis was likewise dissected by the Kaspersky Lab and the discoveries were point by point in its blog post "The Roaming Mantis campaign evolved significantly in a short period of time."

The attacks have been extended to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Initially the malware was dispersed in five dialects only however now the range has been extended by utilizing an automatic translator. The full rundown of dialects is available here : 


Roaming Mantis is likewise said to be well-equipped for stealing private and sensitive data and necessary related  information from Apple and Android phones while cryptocurrency mining is performed by the accretion of a special script present  in the malware's HTML source code, which gets executed at whatever point the browser is opened.


Confirmed: Angry Birds website hacked by Anti-NSA Hacker

Syrian Electronic Army yesterday posted a tweet saying that one of its friend with handle "Anti-NSA" hacker defaced the Angry website.

At the time, we were not able to confirm the defacement.  No one was reported to have seen the hack.  Even the Zone-h mirror didn't confirm the defacement, displayed a message "The mirror is onhold and has not been verified yet".

So, we didn't have strong proof to report the hack.  Today,  Rovio, creator of angry birds, confirmed that the defacement was there for few minutes and corrected immediately.  Now, the Zone-h record also confirmed it.

Antti Tikkanen, Director of Security Response at F-Secure Labs, said in twitter that the attack is actually 'DNS Hijack attack'. He mentioned that the website itself not touched by the hacker; hacker managed to modify the DNS records.

He also said that the angrybirds website pointed to some IP address(31.170.165.141) assoicated with Lithuania for at least one hour.  The same IP address shown in the Zone-h record(https://www.zone-h.org/mirror/id/21666969).

The hack comes after the angry birds application is said to be used by NSA and GCHQ to spy on people. 

New service will protect Hong Domains(.hk) from DNS Hijacking


We have recently seen several DNS Hijacking attacks. Hackers had defaced several high profile domains including Google, facebook.

Hackers normally attempt to obtain login details for the Domain admin panel through various method including Social Engineering attack.  If he succeeds, he will change the DNS records fort the websites.

By modifying DNS records, hacker can deface the website or redirect to any other malicious websites.

To make an end to such kind of attacks, a new " registry-lock" service has been launched by Hong Kong domain registrar.

"We are putting back the human factor in the verification process," South China Morning Post quoted the Internet Registration Corporation head Jonathan Shea Tat-on as saying.

The new service will require telephone call verification in order to make any changes to the existing DNS records.  Only up to three persons can be authorized to modify the records.  In addition, the server will be unlocked for just 15 minutes each time.  These options are believed to be security measures that will remove the existing loopholes in automation. 

MYNIC says the Google Malaysia DNS hijack is done through Reseller’s account

We recently learned that Google Malaysia main page was defaced via DNS hijacking. Malaysian Registrar MYNIC has published a statement saying the DNS hijack is done through one of their Reseller's account.

"We can assure there is no customer’s content, password information and other personal information affected by the redirect" Hasnul Fadhly Hasan, Chief Executive Officer (CEO) of MYNIC said in their official blog post.

MYNIC says it is "undertaking all necessary measures to monitor the situation and prevent further related issues".

Hasnul said that various security measures have taken place on MYNIC’s infrastructure since the first incident on 1st July 2013. The investigation shows their system is not compromised after the incident.

"However, this time around, the group manipulated reseller's account management. MYNIC’s next course of action is to immediately improve resellers’ security on account management" Hasnul added.