Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Baddies linked to Iran fingered for DNS hijacking to read Middle Eastern regimes' emails

'Almost unprecedented' attacks use the old man-in-the-middle diddle – infoseccers

Gareth Corfield Thu 10 Jan 2019  //  14:04 UTC

Infosec biz FireEye has suggested Iran may be responsible for what it claims are DNS hijacking attacks aimed at snooping on the contents of Middle Eastern governments' email inboxes.

That Saudi oil and gas plant that got hacked. You'll never guess who could... OK, it's Russia

READ MORE

The firm's incident response and intelligence teams said they had spotted miscreants logging into pxy1, described as "a proxy box used to conduct non-attributed browsing and as a jumpbox to other infrastructure".

From there they were seen to use previously stolen DNS admin creds to change basic DNS A records to point to IP addresses the bad actors controlled, establishing a man-in-the-middle setup. The researchers said the crew used a load balancer to ensure the technique passed through genuine web traffic, helping keep it invisible to users.

A Let's Encrypt free SSL certificate was used to get around any problems with mismatched certificates in the instances highlighted by FireEye. The company did point out that it had also seen "multiple Domain Control Validation providers being utilised as part of this campaign" so that particular part of the attack is not solely dependent upon Let's Encrypt certs.

Fireeye said it had also watched the manipulators using broadly similar techniques to fiddle with DNS nameservers, with the same ultimate aim of getting their hands on the contents of targets' email inboxes.

"While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran," mused FireEye in its blog post about the research.

The firm said that while it "suggested" people in Iran were involved with "moderate confidence", based on geolocation of IP addresses, the attack techniques "may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers".

It also noted that "the activity aligns with Iranian government interests".

Those same IPs, however, "were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors".

Iran, like other pariah states throughout the world, has some capable cyber-folk working for it. Back in August last year a potential BGP hack routed messages from chat app Telegram through Iran, while a staggering failure of basic opsec techniques helped Iranian counter-espionage units round up and neutralise American spies operating in their country – all thanks to a Google search. ®
Send us news
14 Comments

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Nominet to restructure, slash jobs after losing 'major deal'

Prices also set to rise after being frozen since 2020

Iranian charged over attacks against US defense contractors, government agencies

$10M bounty for anyone with info leading to Alireza Shafie Nasab's identification or location

Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC

'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge

Iran's cyber operations in Israel a potential prelude to US election interference

Tactics are more sophisticated and supported in greater numbers

Iran launches 'biological capsule' to low Earth orbit

Precursor to crewed flight can reportedly carry animals

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Either the FBI is recruiting in Iran – or some govt Google ad buyers are getting a lousy deal

Advertisers may be surprised to find where their banners appear

Square blames last week's outage on DNS screw-up

It's not hip to be this Square

Microsoft DNS boo-boo breaks Hotmail for users around the globe

ALSO: NYC says kthxbye to TikTok, slain Microsoft exec's wife indicted, and some ASAP patch warnings

Is it a drone? Is it a balloon? Whatever it is the US warns locals not to let them fly in Iran

Some of this kit is ending up in Russia

If your DNS queries LoOk liKE tHIs, it's not a ransom note, it's a security improvement

It’s not Google's plan. There’s no way it’s Google's plan. It was Google's plan