DNSpionage DNS Hijacking Campaign

Believed to be operated by an unaffiliated advanced persistent threat group, the campaign originally targeted specific organisations throughout the Middle East, but has now been seen in incidents across Europe, North Africa and North America as well.

DNSpionage uses three techniques to compromise domains:

• DNS A Record Hijacking - The threat actors use previously compromised credentials to access the DNS provider's administration tools, at which point they alter the A record to associate the target domain with a threat actor-owned IP address. They will then generate a proxy to mirror the target domain, as well as a load balancer to pass traffic from the original IP address to the new address. A new TLS certificate is then issued to the domain using Let's Encrypt to prevent browser security warnings from notifying users.
• DNS NS record hijacking - This technique is functionally similar to the first, however, the threat actors exploit a previously compromised country-code top-level domain (ccTLD) or registrar to alter the NS records instead of the A record.
• DNS redirection - The third techniques makes use of the altered A and NS records to redirect users. If a DNS request to an actor-controlled IP address is received, it will redirect the request to the actor's proxy; if the request is to a legitimate DNS it will be passed to a legitimate address.

Once the threat actors have control of the right DNS records, they may use the related domains to host malicious files or content, perform man-in-the-middle attacks, collect user credentials or redirect users to actor-controlled infrastructure for further compromise.

Update 25 Apr 2019 

A new tool, known as Karkoff, has been observed being installed during active DNSpionage campaigns. Believed to have been created by the same group behind DNSpionage, it allows attacker to execute code remotely on affected systems.