What is Sea turtle attack?
It’s not an attack of a vicious sea turtle to human as you are invading their territory. Sea Turtle attack is not like any other DNS hijacking or poisoning, it is labeled as another breed of campaign more refined than its predecessor.
How is it different from other DNS hijacking attack?
- Main focus of the attack is 3rd party DNS provider of the targeted domain.
- Victims are specific group of entity like national security organizations, ministries of foreign affairs, and prominent energy organizations and the second groups of victims are numerous DNS registrars, telecommunication companies, and internet service providers.
- Taking control of entire infrastructure employing high persistent tactics and unconventional tools.
- It did not spare public DNS as it also point of failure is private DNS entries regardless of geographical location.
How does the threat actor perform the attack?
- Acquired administrator network credentials to change DNS records and manipulate and forge DNS records.
- By employing another approach thru Extensible Provisioning Protocol (EPP) keys particularly used to change any of the DNS records controlled by the domain registrar that trade the domain names.
- Attacker gained initial access to an entity bypassing all security.
- Attacker can now stir attacked network to execute main motives.
- Attacker exfiltrated resources out of the attacked network.
- Attacker by this time can access DNS registry as it already hold the compromised credentials.
- Name server are now compromised as it now could issue command via terminal.
- Victim sent DNS request for a targeted domain and received a response from the actor-controlled server.
- The actor-controlled server sent a fake “A” record pointed to the Man- in- the middle (MitM) server.
- Victims are now lured by entering their credentials thru MitM server.
- Attacker harvested the victim’s credentials from the MitM server impersonating the now compromised DNS server.
- Attacker then passed the victim’s credentials to the legitimate service.
- Attacker is now able to authenticate as it now impersonates the victim.
How can we avoid DNS hijacking?
VPN service alone can put a stop to DNS hijacking attempt as it is trusted and consistent, it is also recommended that you use good security software that keeps malware such as DNS modifications and Firewall appliance (hardware) based is the best choice and recommended. If you think you are already infected or compromised, it is better to delete the contents of HOSTS file and reset the Hosts File. After doing this, go ahead and use an Anti-malware that helps you get rid of DNS Changer.