Check Point cybersecurity experts: The RAT is managed over the platform, communicating with the attacker’s C&C server and exfiltrating data to it.
US lock the cyber security of the federal agencies after the Iranian DNS cyber attacks. DHS issued 2 security alerts, urging to secure login credentials for the internet domain records
The United States react to the recent DNS cyber attacks by Iranian hackers locking the cyber security of the federal administrations. The Department of Homeland Security (DHS) issued two “emergency” security alerts (1,2) urging federal civilian agencies to secure login credentials for their respective internet domain records. According to HackerCombat, in the statement DHS says managers need to audit DNS records for unauthorized edits, update their passwords, and turn on multi-factor authentication. For all accounts through which DNS records could be altered. Agencies have two weeks to implement the directives. Cyberscoop reported that the Department is aware of at least six civilian agency domains that have been impacted by DNS hijacks.
The US Department of Homeland Security security alerts on the Iranian cyber attacks campaign
“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering,” the DHS statement reports.”CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them. Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services”.
How the malicious hackers highjacked DNS to obtain valid encryption certificates for an organization’s domain names and redirect traffic to be decrypted, exposing any user-submitted data
“The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records,” the DHS cyber security alert continues. “Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”