Cisco: These are the flaws DNS hijackers are using in their attacks

Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.
Written by Liam Tung, Contributing Writer

Cisco has warned that state-backed hackers are attempting to manipulate domain name systems (DNS) by using a combination of spear phishing and a number of known software flaws.  

"DNS is a foundational technology supporting the internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system," the Cisco Talos researchers said.

Over the past two years, the so-called Sea Turtle group have hacked numerous DNS registrars and registries to carry out DNS hijacking attacks against national security organizations and government agencies. The attacks have impacted 40 organizations in 13 countries.

Among the flaws are ones revealed in WikiLeaks' 2017 Vault7 leak of CIA hacking tools. Thanks to the Vault7 leak, Cisco found the critical remote code execution bug CVE-2017-3881 in its widely-deployed IOS and IOS XE network software that affected over 300 switch models, many of them from its Catalyst brand.  

The networking company has bumped the 2017 warning back up to the top of its security advisories page with a warning it had new information about the flaw's exploitation by this state-sponsored hacking group.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Part of the attack involved impersonating VPN apps, such as Cisco Adaptive Security Appliance (ASA) products, to acquire VPN credentials in order to remotely access a target's network. The attackers used DNS hijacking to redirect traffic and capture legitimate SSL certificates. 

"One notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would allow the threat actors to harvest additional VPN credentials," explained Talos researchers. 

Talos lists seven known vulnerabilities associated with the campaign, including: CVE-2017-3881, another remote code execution (RCE) bug for Cisco switches; CVE-2017-6736, affecting Cisco's integrated Service Router 2811; and CVE-2018-0296, a directory traversal that gives access to Cisco ASA devices and firewalls. 

The attackers also used a Drupalgeddon flaw against the Drupal CMS, an RCE affecting GNU bash, and a code injection flaw affecting phpMyAdmin. 

"We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems," the researchers noted. 

It also says the Sea Turtle activities are separate to the DNSpionage campaign it revealed in late 2018, which prompted an emergency directive in February from the Department of Homeland Security.  


Editorial standards