Sea Turtle DNS Hijacking Campaign
Cisco Talos researchers published an analysis of a DNS Hijacking campaign, named “Sea Turtle”, targeting national security organizations in the Middle East and North Africa.
In this campaign, the threat actors compromised a network primarily through exploiting known vulnerabilities in phpMyAdmin, Drupal, Apache, and more. After obtaining access to the network the attackers would move laterally in the network and harvest credentials.
Once the appropriate credentials were obtained, they would login into the DNS registry and update the settings to point any DNS requests destined for the target domain to an attacker controlled name server instead. The attacker’s infrastructure was made up of man-in-the-middle servers impersonating legitimate services.
Users would be directed to these spoofed web pages that harvest any entered credentials and then redirect the user to the legitimate service in order to avoid detection. Additionally, attackers stole SSL certificates from the compromised network in order to compromise additional credentials. The researchers note that these threat actors are highly capable and sophisticated, and their targeting of DNS registries and registrars shows an aggressive approach.
Further details, read the full report here.
Indicators of Compromise
Note : The threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor.
| IP address | Month | Year |
| 199.247.3.191 | November | 2018 |
| 37.139.11.155 | November | 2018 |
| 185.15.247.140 | January | 2018 |
| 206.221.184.133 | November | 2018 |
| 188.166.119.57 | November | 2018 |
| 185.42.137.89 | November | 2018 |
| 82.196.8.43 | October | 2018 |
| 159.89.101.204 | December – January | 2018-2019 |
| 146.185.145.202 | March | 2018 |
| 178.62.218.244 | December – January | 2018-2019 |
| 139.162.144.139 | December | 2018 |
| 142.54.179.69 | January – February | 2017 |
| 193.37.213.61 | December | 2018 |
| 108.61.123.149 | February | 2019 |
| 212.32.235.160 | September | 2018 |
| 198.211.120.186 | September | 2018 |
| 146.185.143.158 | September | 2018 |
| 146.185.133.141 | October | 2018 |
| 185.203.116.116 | May | 2018 |
| 95.179.150.92 | November | 2018 |
| 174.138.0.113 | September | 2018 |
| 128.199.50.175 | September | 2018 |
| 139.59.134.216 | July – December | 2018 |
| 45.77.137.65 | March – April | 2019 |
| 142.54.164.189 | March – April | 2019 |
| 199.247.17.221 | March | 2019 |
| Domain | Active Timeframe | IP address |
| ns1[.]intersecdns[.]com | March – April 2019 | 95.179.150.101 |
| ns2[.]intersecdns[.]com | March – April 2019 | 95.179.150.101 |
| ns1[.]lcjcomputing[.]com | January 2019 | 95.179.150.101 |
| ns2[.]lcjcomputing[.]com | January 2019 | 95.179.150.101 |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.