Over the last year and a half we have been researching some interesting traffic destined for Saudi Arabian Government and commercial entities domains. During the same time suspicious DNS changes were also observed on Israeli domains as well as some incidents in the UAE.
While these attacks are not all related, it is believed that the same techniques have been utilized to pull of some of this activity.
Back in November, several security firms started reporting on DNS activity. What is interesting about this is that Jigsaw Security reported on this activity back in 2017 and it mostly fell on deaf ears, except for our Jigsaw protected customers who started warning us that our DNS RPZ servers were blocking access to legitimate Saudi Arabian Government websites which was the first indicator that there was a problem.
Shortly after being alerted in 2017 of issue with the Saudi Arabian sites we started noticing reports of the same thing in Israel Internet Service providers that were hosting content from some countries in the EU, Middle East as well as a few Australian companies. The hosting provider sells highly secured servers utilized by companies to ensure financial transactions can be processed securely.
The DNS and CDN activity points to legitimate programs being backdoored and then DNS and CDN locations are modified to force legitimate users of popular open source software to the malware infected packages assumed to have been loaded in CDN networks by the malicious actors. We have been tracking literally hundreds of locations where this is occurring and we believe that specific countries are sponsoring and carrying out this activity.
The latest attacks indicate that Saudi Arabian Government and Banking apparatus is being targeted and also political targets in other middle eastern countries.
The Talos blog reported that there are 40 affected organizations but that number is closer to 4000 and they are not all located just in the countries reported by Talos, DHS or other security researchers covering this topic. A list of US organizations has been generated in the Jigsaw Security Threat Intelligence platform and we will continue to monitor and track this activity for our customers, one of which was able to prevent their mail server from being targeted by forcing their users to use their trusted DNS server that is running with Jigsaw Security RPZ protection and Heuristics models.
We take offense to the following in the reporting:
Most intrusion monitoring and prevention systems aren’t designed to monitor or log DNS requests.
The statement provided by Talos is not true. In fact that is exactly what our intrusion monitoring and prevent system does and why we are picking up these attacks and the industry is asleep at the wheel.
The Jigsaw Security FirstWatch sensor is DNS based with Heuristic detection of malicious content if the span port option is enabled. All of the traffic monitoring in the world won't stop an attack at the DNS level, but our system can detect things like changing destinations and more.
One of the best ways to find threats is through DNS since all systems on a network use it, and you can validate that the information received is correct (with a slight delay for validation) and prevent these types of attacks.
These directives DO NOT prevent foreign countries from attacking the DNS infrastructure as they ignore the "directives". Nor are companies equipped to even be able to detect these attacks let alone stop them.
We have continued to report these issues but it seems as though everybody is more interested in trying to prevent connections to stale and old Indicators of Compromise instead of using technology that detects and stops this type of malicious activity. Until we can get others to understand that the very fabric of the Internet is being hacked to pieces by malicious actors, we can fully expect more of these attacks. With the exception of Jigsaw Security's solution, the only other company that we know with a product that can mitigate these issues is Damballa's DNS solution.
Historical DNS list may not catch this
One of the things we noticed when researching this issue is that many of the attacked domains have very short TTL values. This is one of the things we validate before allowing a connection. We observed several domains IP addresses change 20 times in an hour. Unless you have a valid reason for moving your web servers 20 times in an hour, this should never occur.
Several of the domains DNS records were checked to see if historical data picked up on the activity and it did not catch this because the periods of activity are very short. In addition there is no indicator that anything is wrong because the servers where the redirection occurs actually transparently proxies the end users to the actual servers (while capturing credentials).
Is this activity still occuring?
Yes it's still going strong. As of today there were over 4000 domains targeted all over the world. The complete list is available in the Jigsaw Security Analytic Platform data set and is available to subscribers.
One of the issues with these attacks is that they are hard to spot using firewalls and IDS devices. Inherently DNS is trusted by network devices and therein lies the problem on how this has been able to be carried out for so long without detection. Historical data shows smaller instances where individual companies were targeted but this is the first time we have seen transparent proxying with Let's Encrypt used to fake certificates as well as CDN misdirection which we have been reporting on well before these latest rounds of reports.
Subscribers of the Jigsaw Security threat intelligence feeds and RPZ subscribers are NOT affected by this activity.