PERCEPTION FINANCIAL SERVICES CYBER THREAT BRIEFING REPORT

Q1 2019 1 Notable Cyber Activity within Financial Services

Contents January 2019 October 2018 A security researcher discovered that The State Bank of India Between the 4th and 14th October 2018 HSBC reported a number Table of Contents...... 1 (SBI), India’s largest bank, had failed to secure a server which of US online bank accounts were accessed by unauthorized users, Welcome...... 1 was part of their text-messaging platform. The researcher was with potential access to personal information about the account able to read all messages sent and received by the bank’s ‘SBI holder. HSBC told the BBC this affected fewer than 1% of its 1 Notable Cyber Activity within Financial Services...... 2 quick’ enquiry service which contained information on balances, American clients and has not released further information on 2 Threat Actor Profile: The Carbanak Organized Crime Gang ...... 4 phone numbers and recent transactions. This information could how the unauthorized access occurred. have been used to profile high net worth individuals, or aid social 3 Benefits and challenges of deploying TLS 1.3...... 5 engineering attacks which are one of the most common types of It is likely that this was an example of a credential-stuffing attack, 4 Ethereum Classic (ETC) 51% Attack...... 9 financial fraud in India.1 where attackers attempt to authenticate with vast quantities 5 Authoritative DNS Security ...... 10 of username and password combinations obtained from other December 2018 compromised sites, hoping to find users who have re-used their Kaspersky published a detailed examination of intrusions into credentials elsewhere. This highlights the importance of deploying at least eight banks across Eastern Europe in a campaign they two-factor authentication for sensitive logons and/or detection have dubbed ‘Dark Vishnya’. In each case the attackers used an techniques to block anomalous access.5,6 unknown device connected to the company’s local network with remote access through a mobile network connection. Once in August 2018 the network, the attackers carried out reconnaissance and lateral On the 14th of August 2018 the Cosmos Bank, India’s second movement to reach machines used for making payments.2 oldest and more importantly India’s second largest bank was compromised by a two-stage attack. The first stage of the attack November 2018 saw 11.5 million USD stolen. The second stage of the attack The Bank of England hosted a one-day exercise to test the happened on the same day as the first however this time nearly sector’s resilience to a major disruption arising from a cyber- 2 million USD was withdrawn through debit card transactions incident. Around forty organizations took part along with located in India. Reports at the time stated that malware was used the Treasury, Financial Conduct Authority and UK Finance. to infect the bank’s ATM server to steal credit card information as Concerns were raised by some that a pre-arranged event may well as stealing SWIFT codes required for transactions. not adequately stress-test organizations’ preparedness, but Cosmos Bank stated that the cyber-attack was launched nevertheless the event highlights the importance of holding from 22 different geographical locations. Research conducted regular war-gaming exercises alongside practical tests of by Securonix attributed the attacks to North Korea pointing security controls. The bank is expected to publish some of the specifically at the APT group known as The Lazarus Group.7,8 lessons learned at a later date, although it has said that due to Brexit preparations it will delay the introduction of cyber-related impact tolerances on the sector.3,4

Welcome to the latest edition of PERCEPTION the cyber threat intelligence briefing for the financial services sector from Nettitude and edited by Dr Graham Shaw. The briefing report contains informative, relevant and timely information about the cyber threat landscape, current threat actors and recent activities. The report is designed to help you address the cyber risks faced by your organization. Nettitude provides a wide range of cyber threat and assurance services including red team simulation testing, threat modeling, attack surface analysis and tracking on threat actors, their methods and techniques. Please contact [email protected] to inquire further. We hope you enjoy reading this edition of PERCEPTION.

Yours sincerely, Ben Densham Chief Technology Officer 1 ://techcrunch.com/2019/01/30/state-bank-india-data-leak/ 2 https://securelist.com/darkvishnya/89169/ 3 https://www.bankofengland.co.uk/news/2018/november/sector-resilience-exercise. 4 https://uk.reuters.com/article/uk-britain-boe-cyber/bank-of-england-says-will-delay-work-on-cyber-stress-tests-for-banks-idUKKBN1O40ZL 5 https://oag.ca.gov/system/files/Res%20102923%20PIB%20MAIN%20v3_1.pdf 1 6 https://threatpost.com/hsbc-data-breach-hits-online-banking-customers/138856/ 2 7 https://www.pcrisk.com/internet-threat-news/13425-how-hackers-stole-135-million-usd 8 https://www.securonix.com/securonix-threat-research-cosmos-bank-swift-atm-us13-5-million-cyber-attack-detection-using-security-analytics/ 2 Threat Actor Profile: The Carbanak Organised Crime Gang June 2018 March 2018 In June the Ukrainian Cyber Police Chief spoke out and stated In March of 2018 information outlined by McAfee pointed The Carbanak Group, (aka Fin7) is an organized cyber-criminal What is clear about the Carbanak group are their TTPs (Tactics, that hackers back by Russia were infecting Ukrainian companies to the North Korean linked threat actor The Lazarus Group gang which was first discovered in 2014 by Kaspersky Labs. techniques and procedures). To compromise their victim, they with malicious software. He outlined the Ukrainian assessment conducting campaigns against Turkish financial organizations. When they were first discovered Kaspersky outlined how they utilize spear-phishing with malicious attachments and links. Once that the malicious software was being used to create back-doors This campaign saw a resurgence of the Bankshot malware. This had been targeting banks with malware that was introduced to a victim is compromised, they move through the bank’s internal into large companies for potentially damaging future coordinated malware along with other TTPs conducted in the attack bore its target via phishing emails. The Carbanak Group appears to network infecting servers and controlling ATMs. Their preferred attacks against them. Of the companies being targeted the main similarities to previous attacks against the Turkish government be almost entirely financially motivated with the majority of their criminal acts are then to transfer money to foreign bank accounts, focus was critical infrastructure and banking organizations which have been linked to North Korea. attacks focused on the financial sector. It is unclear how much inflate bank account balances for money-mules to withdraw and the group has stolen from banks in total, but reports vary from command ATM machines to spit out money which the money- Although Russia has denied the accusations, this is another The Bankshot malware is capable of wiping files and content $900 million to well over a billion. mules collect. Further actions tend to see the stolen money example of rising geo-political tensions affecting the private while staying hidden on the victim’s system. This malware converted into one of several cryptocurrencies to help obfuscate sector. Relations between Ukraine and Russia continue to be which also goes by the name Trojan Manuscript is also capable its final destination. difficult, in 2014 following the annexation of Crimea, Ukraine of searching for and connecting to the SWIFT global banking 11 accused Russia of orchestrating a large scale cyber-attack and network. have remained vigilant since. 9 March 2018 April 2018 In March of 2018 the United States of America accused Iran In May the head of the Mexican Central Bank reported that of stealing intellectual property from over 300 universities in Mexican banks had been targeted in an attack which was America, Europe and East Asia. They were also accused of similar to previous attacks against the Bangladesh banking stealing intellectual property from financial services companies sector in 2016. It has been reported that around $15.4 million and government agencies. The US attorney for the southern was obtained although it’s not clear how much was extracted district of New York called it “one of the largest state-sponsored as cash. In response the Mexican central bank is now creating a hacking campaigns ever prosecuted by the DOJ (Department cyber-security unit which will provide advice and guidance to of Justice)”. the county’s banking sector. 10 This hack is believed to have started in 2013 and continued for four years. The US government stated that it was the Mabna Institute which started the attacks, which the US now calls “a Hacker network”.

.

9 https://www.reuters.com/article/us-ukraine-cyber-exclusive/exclusive-ukraine-says-russian-hackers-preparing-massive-strike-idUSKBN1JM225 10 https://www.reuters.com/article/us-mexico-cyber/mexico-central-bank-to-create-cyber-security-unit-after-hack-idUSKCN1IG3AB 11 https://www.ibtimes.com/north-koreas-hidden-cobra-hackers-target-turkey-bankshot-malware-2662019

Figure 1: Carbanak, a global threat 12

On the 26th March 2018 the suspected leader of the notorious The distinction between what has been named the Carbonak cyber- gang “Carbanak”, named only as ‘Denis K’, was group and others named by other organizations as Cobalt or FIN7 arrested in Alicante, Spain. This arrest was part of an international is sometimes unclear, with shared techniques and tools being police cooperation between Europol and the Joint Cybercrime used. It has therefore been suspected that Carbonak may not Action Taskforce. It was also the first time that the EBF (European be one group but several groups utilizing and sharing the same Banking Federation) had actively cooperated with Europol on a TTPs. Their continued success despite their leader being behind specific investigation. bars indicates the Carbanak group in whatever form looks to be continuing work as normal. However, even with the arrest of their suspected leader the group continues to launch attacks against banks. Throughout the last few months of 2018, reports of attacks on financial organizations using Carbonak TTPs and infrastructure continued to be reported, for example against Russian and Romanian banks in August 2018.

3 4 12 https://www.europol.europa.eu/publications-documents/carbanak/cobalt-infographic 3 Benefits and challenges of deploying TLS 1.3

Transport layer security, otherwise known as TLS or SSL, has historically been a tricky protocol to properly manage and secure. Most 3.3 The interception argument 3.4 Destination unknown organizations will have, at some point in time, received a pentest report containing a litany of issues regarding protocol version support, insecure cipher suites, missing security extensions, deprecated hash functions, and so forth. These issues can be difficult to navigate One of the most significant points of contention in TLS 1.3 was Performing connection routing and load balancing on TLS traffic due to the naturally terse nature of cryptography, the depth of historical reasoning that went into the TLS protocol design, and the the removal of static RSA handshakes. The benefit of supporting at the gateway has, for the most part, historically been done using diverse nature of implementations. It should come as a relief, then, that TLS 1.3 brings with it a new design mindset where (comparative) such handshakes was that legitimate security middleware the Server Name Indication (SNI) extension, wherein the server’s simplicity is seen as one of the cornerstones of secure protocol design. appliances (generally referred to as TLS Intercept Applications, or common name (usually the ) is sent in the clear by TIAs for short) could use them to inspect encrypted traffic, given the as a handshake extension. However, due to concerns the cooperation of either the client or the server. On the other over privacy and surveillance, TLS 1.3 will now support SNI 3.1 A little history 3.2 Avoiding the TLS vulnerability onslaught hand, static RSA handshakes have been historically fraught from encryption (ESNI), which makes the SNI record unreadable to a security perspective. A number of organizations, many from anyone but intended parties. the banking sector, put forward a proposal to the TLS 1.3 working We get the name “SSL” from the Secure Sockets Layer protocol, During previous years I’m sure we’ve all felt like there was a In contrast to TLS 1.2 and previous, TLS 1.3 also now encrypts group in favor of continuing to allow such interception, but this initially developed by Netscape way back in the mid-90s. Since new branded SSL or TLS vulnerability to deal with every few the server certificate that it returns to the client. This, combined proposal was rejected as being counter to the goals of TLS 1.3. then there have been a number of iterative releases of the months. Prior to version 1.3, the TLS protocol utilized a number with ESNI, prevents surveillance technologies from discovering protocol - SSL 2.0 in 1995, SSL 3.0 in 1996, TLS 1.0 in 1999 (the of problematic cryptographic features, a small number of which This does not mean that all TIAs are broken. Instead, it requires which domain the client is talking to when shared infrastructure first design to be published as an IETF RFC), TLS 1.1 in 2006, TLS are the root cause of almost all of the named vulnerabilities that some vendors to choose a different interception model, such as is in use. 1.2 in 2008, and of course TLS 1.3 in 2018. The designs of the seemed to plague SSL and TLS over the last decade. We can complete proxying of TLS traffic using dynamically generated ESNI has implications for gateway routers and security original SSL protocols had some fairly significant shortcomings, summarize the core problems as follows: server certificates signed by a trusted internal enterprise appliances that make decisions based on SNI metadata. In but due to mainstream adoption it quickly became difficult to . Unfortunately such proxying is difficult to • Padding oracle attacks on block ciphers in CBC mode, order to facilitate legitimate access to the SNI record by replace them with something more fundamentally secure. do securely, as evidenced by a 2018 academic paper which largely due to the decision to use MAC-then-CBC. middleware, ESNI keys can be generated and shared with that Instead, each new version introduced fixes and countermeasures discovered that most TLS proxying products on the market • Vulnerabilities in the RC4 stream cipher middleware. This allows the middleware to decrypt ESNI records for known classes of exploits, leading to somewhat of an arms re-introduced many known TLS security flaws even when the but not the traffic within them. This is a considerable security race. Unfortunately, this has resulted in complex implementation • Vulnerabilities in the 3DES block cipher servers they communicated with were fully patched. Symantec advantage over TLS proxying or termination at the gateway, requirements; many sections of the TLS standards documents • Issues with RSA such as weak keys, padding oracles, have published a paper titled “Responsibly Intercepting TLS and where an attacker needs only to compromise the gateway in have grown in size from a single paragraph to multiple pages, and timing attacks the Impact of TLS 1.3”, which outlines good technical practices order to gain access to all decrypted network traffic. parts of which require in-depth understanding of cryptographic • Compression oracles for TLS traffic interception, which TIA vendors should follow. algorithms as well as processor timing, caching behavior, and Of course, this all assumes that you are in control of the server • Excessively complicated key exchange functionality compiler quirks in order to implement in a secure manner. Of side of things, which is usually not the case for outbound traffic. course, the combination of complicated (and often not well TLS 1.3 fixes most of these issues by removing RC4 and CBC This means that security monitoring appliances will be unable understood) requirements and an increase in the number of mode block cipher suites (including 3DES) entirely, removing to discern the target domain for many connections to servers on features and extensions tends to lead to more bugs. Some of static RSA handshakes, simplifying key exchange parameters, the internet that support ESNI. One partial solution is to push a these bugs manifested as security vulnerabilities and others removing compression features, and removing renegotiation. client policy to all users’ devices in order to disable ESNI support manifested as additional roadblocks to building new backward- MD5 and SHA1 hash functions were also preventatively in their browsers, but this doesn’t prevent the use of ESNI by compatible versions of the protocol. deprecated for use with message authentication. You may notice malicious software. Security appliance vendors will likely have It is of little surprise, then, that it took a decade to iterate from there’s a pattern here - lots of removed features. This is evidence to rework some of their detection features and indicators of TLS 1.2 to TLS 1.3. One of the key drivers for a new approach to of the new design approach. The hope is that removing these compromise (IOCs) in order to adapt to TLS 1.3 and ESNI TLS is that the prior mentality of adding new mitigations for each commonly abused features will not only improve security, but adoption. new vulnerability is unsustainable. As such, this required a major also reduce the cost and complexity of maintenance by library overhaul of some of the core cryptography and behavior that had developers and users. remained largely unchanged since the 90s.

5 6 3.5 Round trip elimination 3.6 Support for TLS 1.3

Despite rapidly increasing internet connection bandwidths over the past decade, there remains the immutable problem of latency - a The following is a summary of browser and HTTP server support for TLS 1.3, as of January 2019: packet can only travel across the globe at a certain velocity. Each round trip between two systems on the internet suffers this latency. The most common way to measure this in terms of HTTP and HTTPS is “time to first byte” or TTFB for short. While total throughput (e.g. 3.6.1 Browsers 3.6.2 Libraries data transfer speed in Mbps) on a HTTPS connection is practically equal to that of HTTP, in part owing to the prevalence of AES hardware • Microsoft - Unsupported The following cryptographic libraries have TLS 1.3 support: acceleration instruction set extensions on modern mainstream processors, the TTFB is significantly inflated. This is largely due to the • - Unsupported (in development) • BoringSSL fact that TLS connections have to go through several back-and-forth steps in order to validate identity, negotiate supported ciphers • Mozilla - Supported as of version 53 • CycloneSSL and features, and exchange a secret key in order to securely communicate. This has become a challenge in modern single-page web • Mozilla - Supported as of version 70 • GnuTLS applications where interactive client-side content communicates with the server using features such as Ajax and Web Sockets. • - Supported as of version 56 • JSSE/JDK (as of JDK11) • Google Chrome for Android - Supported as of version 63 • Mint TLS 1.3 aims to improve the situation significantly in this regard. Unfortunately, 0-RTT comes with a couple of security • Apple - In development, supported but not • NSS Whereas TLS 1.2 generally requires two round trips with the downsides. The first is that 0-RTT connections have no enabled by default server being the last to respond in the handshake (thus having - if the session ticket keys are compromised • OpenSSL an overall TTFB of five times the packet travel time), TLS 1.3 then any previous 0-RTT connection traffic captured by • Apple Safari for iOS - Unsupported • ProtoTLS condenses the handshake into a single round trip where the client an attacker can be decrypted. The second is that replay • Opera - Supported as of version 57 • SwiftTLS sends the last message in the handshake. This means that the attacks are possible, meaning that an attacker can (at least in • Opera for Android - Supported as of version 57 • Tris client can bundle the encrypted HTTP request along with the final some situations) take captured traffic from a client’s 0-RTT • Android Browser - Unknown; support likely tied to version of • fizz packet of the handshake, reducing the TTFB to three times the connection and successfully re-send it to the server. There are Chrome for Android installed due to Chromium dependency • miTLS packet travel time. This might not seem like much, but it removes some mitigations available, but ultimately 0-RTT should only be • Blackberry Browser - Unsupported • nqsb hundreds of milliseconds of latency from each connection. used for static content and idempotent APIs. As such, it is safe • Samsung Internet - Supported as of version 6.2 Evidence-based UX studies have repeatedly shown that even (not to mention useful) to implement 0-RTT on a CDN server, • picotls small increases in web application latency result in a reduction of but much less safe to enable it on your web application server. • tlislite-ng user engagement, the most touted statistic being that just 100ms It is also worth considering that most security professionals • wolfSSL of additional latency on Amazon’s website resulted in 1% fewer familiar with TLS agree that the 0-RTT feature will likely be the Microsoft’s .NET Framework and .NET Core do not yet have support purchases in an A/B test. most heavily targeted area of the new protocol since it appears for TLS 1.3, nor does IIS. All web servers that derive their HTTPS to be the least rigid part, and that there is a chance that 0-RTT The latency of the new handshake can be reduced even further support from a provided OpenSSL-compatible library, such as may need to be disabled due to security issues in future. But, Apache and , should have support for TLS 1.3. by the new 0-RTT feature in TLS 1.3, which allows for session for now, it offers a welcome improvement in performance. resumption across connections with no round trips at all; the client can send data in the first packet and the server can decrypt it. Effectively this reduces the number of round trips to zero, hence the name. This can vastly reduce overall latency in a modern application where many resources must be fetched and many web services and APIs interacted with.

7 8 4 Ethereum Classic (ETC) 51% Attack

On January 7th 2019 Etherium Classic (ETC) suffered from a without a central authority. For example, with cryptographic This simplified overview of how block-chain technology works include their currency spending. As the attacker controls more “51% attack” containing multiple double spends totalling 219,500 currencies, its most commonly noted use-case, this assertion gives us sufficient grounding to explain a “51% attack”. than 50% of the processing power it is likely their chain will be ETC (~$1.1M at the time of the detection). One exchange is a ledger containing a limited number of transactions between This model is generally considered robust assuming a level longer than the currently accepted “truth” and causes a switch declared losses of 40,000 ETC and has promised to refund all accounts (the exact number of transactions depends on the playing field and sufficient participants. A “51% attack” to occur. In the new ledger of transactions the attacker has not impacted users. currency). occurs when a single miner makes up more than half of all spent their currency, allowing them to repeat the process. To understand a 51% attack, you need to first have some limited In block-chain technologies a “block” is a structure that the processing power going into creating new blocks. This is This is not the limit of the attack however only a demonstration understanding of block-chain and how block-chain based contains an assertion, an answer to a puzzle, and a link to the because statistically, over an extended period of time, they are of its capabilities; for example, it could also be used to prevent technologies typically work. previous block – the puzzle in question differs depending on the able to generate more blocks than all other participating miners parties the attacker does not like participating in the technology One of the core concepts of block-chain, and its most exulted implementation, but it is designed such that it takes the contents combined. by refusing to carry their data – again using crypto-currencies as virtue, is its decentralization – its ability to make assertions of the assertion and the answer from the previous block as In the ETC event described at the start of this article, this was an example; refusing to accept and ignoring transfers from or to a inputs. Using this it builds its chain similar to that shown below: used to “double-spend” a malicious actor’s currency. To do this given user – effectively forcing them off the system. the attacker, who has over 51% of the mining processing Unless addressed this can ultimately result in a complete power, dedicates their resources to mining from a given block in breakdown of the mechanism as other miners, unable to private, not publishing their results. They then spend their tokens contribute and earn a reward leave the system causing the normally. Eventually this transaction is confirmed by the block attackers percentage share to grow. Whilst it is currently unknown chain mechanisms described above and results in the attacker who the attacker was, in to this attack response gate.io (one receiving some form of compensation such as receiving physical affected exchange) has raised its confirmation number to 500, goods or alternative, possibly real-world, currency. Once this and implemented stricter checks for this sort of malicious activity. occurs the attacker publishes their chain which notably does not

5 Authoritative DNS Security

A recent set of attacks against DNS integrity have highlighted the importance of securing DNS infrastructure. DNS underpins almost all internet communications, and is fundamental to being able to establish trusted and secure connections between devices. By tampering with information contained within the DNS system it is possible for attackers to masquerade as an organization, present valid TLS certificates and man-in-the-middle connections to obtain sensitive information. The specifics of the puzzle in question don’t matter, but what their own transactions. It is therefore a race between these is important is that this puzzle is non-trivial -it takes a certain entities as to who can publish first. Sometimes two entities will 5.1 How DNS works 5.2 DNS Integrity amount of processing power to find an answer. Typically, this publish valid answers in a close time window; and as new block puzzle cannot be calculated and instead random guesses must notifications are not real-time the question becomes whose Before looking at the ways in which DNS has been targeted The integrity of a domain’s DNS information is key because be made until a correct solution is found. The process of finding version of the chain should be considered the “official” truth; in recently, it’s important to have an understanding of how the manipulating it can lead to an adversary being able to not only the answer to this puzzle is called mining, and forms the back- these cases, this is left to a natural selection process whereby domain name system works. redirect traffic to infrastructure of their choice but also obtain bone of the decentralization features of block-chain. When a whichever chain ends up being “longer”, or having more work When a client needs to connect to a named resource (e.g. domain-validated TLS certificates. This means that they are able miner finds a working answer for the assertions it wishes to make put into it becomes the accepted truth. It is up to miners which mail.example.com), it performs a DNS request to obtain to effectively man-in-the-middle traffic, while presenting a valid 13 it publishes them to the network, everyone is able to verify it is a branch they work on, but eventually one branch will “win out”. For the appropriate IP address to use for the connection. The TLS certificate which clients will trust . correct solution, and moves on to finding the next block. this reason, a block is never considered “confirmed” until it has client’s DNS request will be directed to a recursive DNS server, It’s important to note that the methodology discussed here is a given number of blocks descended from it, this is known as its It is important to be aware that different entities will want to usually operated by a corporation or service provider, which is independent of any protections provided by DNSSEC as that is confirmation number. make different assertions. Using cryptographic currencies as an responsible for finding the answer to the query. It does this by first intended to protect the integrity of the DNS response message in example again, each entity will want to publish blocks containing querying the ‘root’ nameservers to determine the IP address of transit from the DNS servers to the client rather than the integrity the nameserver which is responsible for the second level domain of the configuration stored on nameservers. (example.com), and then querying that for the full domain which is required (mail.example.com).

9 10 13. Different clients have different behaviour when dealing with domain-validated certificates. Most non-browser clients (e.g. email clients) will trust the certificate with no warnings. Mozilla Firefox and Chrome will both present the ‘green padlock’, whereas Safari and Microsoft will present a grey padlock indicating the certificate is not fully verified as relating to the organisation. Nevertheless, the majority of end-users will proceed as long as a padlock is in place. There are two key places where stored DNS records can be manipulated:

5.2.1 Name servers By gaining access to either the domain registrar or a ccTLD it is possible to change the nameserver records associated with a domain. The nameserver record tells recursive resolvers where to send queries for that domain - for example, if a domain has ns1.example.com (192.0.2.1) as a NS record then queries will be directed to that IP address. If a domain NS record (e.g. originally ns1.example.com) is changed to point to a nameserver controlled by the adversary (e.g. ns1.malicious.com) then that nameserver will respond to queries for queries for .example.com domains. This can allow an adversary to correctly resolve some domains (e.g. www.example.com) while returning IPs for their infrastructure for other domains (e.g. mail.example.com). A high-level view of the manipulation is shown below:

Original process to resolve mail.example.com Manipulated DNS records for example.com

(1) NS? example.com (1) NS? example.com TLD Nameserver TLD Nameserver

(2) ns1.example.com (2) ns1.malicious.com client client (3) A? mail.example.com ns1.example.com

ns1.example.com (3) A? mail.example.com (4) mail.example.com @192.0.2.13 ns1.malicious.com

mail.example.com (4) mail.example.com There are two key places where stored DNS records can be manipulated: @203.0.113.13 (5) connection to fetch email 192.0.2.13 5.2.1 Name servers Malicious proxy There areBy two gaining key places access where to either stored the DNS domain records regist can rbear manipulated:or a ccTLD it is possible to change the nameserver records (5) connection to fetch email 203.0.113.13 5.2.1 associatedName servers with a domain. The nameserver record tells recursive resolvers where to send queries for that 5.2.2 Authoritative servers domain - for example, if a domain has ns1.example.com (192.0.2.1) as a NS record then queries will be By gaining access to either the domain registrar or a ccTLD it is possible to change the nameserver records associated with a domain. Here the adversary obtains access to the administrative interface of the authoritative nameserver(6) and proxied changes mail theconnection IP addresses directed to that IP address. If a domain NS record (e.g. originally ns1.example.com) is changed to point to a The nameserver record tells recursive resolvers where to send queries for that domain - for example, if a domain has ns1.example. which are associated with the domains it is responsible for. This could be through a DNS administrative portal, or by gaining nameserver controlled by the adversary (e.g. ns1.malicious.com) then that nameserver will respond to access to the server itself. Once this has taken place, any records associated with the domain can be changed to returnmail.example.com an IP for com (192.0.2.1)queries as for a NSqueries record for then .example.com queries will be domains. directed Thisto that can IP alladdress.ow an Ifadversary a domain toNS correctly record (e.g. resolve originally some ns1.example.com) adversary controlled infrastructure. 192.0.2.13 is changeddomains to point (e.g. to a nameserverwww.example.com) controlled while by the returning adversary IPs (e.g. for ns1.malicious.com) their infrastructure then fo thatr other nameserver domains will (e.g. respond to queries for queriesmail.example.com) for example.com domains.. A high- levelThis can view allow of the an adversarymanipulation to correctly is shown resolve below: some domains (e.g. www.example.com) while returning IPs for their infrastructure for other domains (e.g. mail.example.com). A high-level view of the manipulation is shown below: Manipulated DNS records on ns1.example.com Original process to resolve mail.example.com

(1) A? mail.example.com Original process to resolve mail.example.com Manipulated DNS records for example.com (1) A? mail.example.com

(1) NS? example.com (1) NS? example.com client ns1.example.com client ns1.example.com TLD Nameserver TLD Nameserver (2) mail.example.com @192.0.2.13

(2) mail.example.com @203.0.113.13 (2) ns1.example.com (2) ns1.malicious.com client

client mail.example.com (3) A? mail.example.com ns1.example.com 192.0.2.13 Malicious proxy (3) connection to fetch email 203.0.113.13 ns1.example.com (3) connection to fetch email (3) A? mail.example.com (4) mail.example.com @192.0.2.13 (4) proxied mail connection ns1.malicious.com mail.example.com mail.example.com (4) mail.example.com @203.0.113.13 192.0.2.13 (5) connection to fetch email 192.0.2.13

Malicious proxy (5) connection to fetch email 203.0.113.13

(6) proxied mail connection

mail.example.com 192.0.2.13

Manipulated DNS records on ns1.example.com Original process to resolve mail.example.com

(1) A? mail.example.com (1) A? mail.example.com

client ns1.example.com client ns1.example.com (2) mail.example.com @192.0.2.13 (2) mail.example.com @203.0.113.13

mail.example.com 192.0.2.13 Malicious proxy (3) connection to fetch email 203.0.113.13 (3) connection to fetch email

(4) proxied mail connection

mail.example.com 192.0.2.13

11 12 5.3 Obtaining trust 5.5 Manipulating the internet

As part of the process for obtaining a TLS certificate, two It is also worth noting that a more advanced attack took place mechanisms are predominantly used to validate the requestor in April 2018 where BGP (the internet’s main routing protocol) is entitled to the certificate -- Extended Validation (EV) and was abused to redirect DNS destined for Amazon’s authoritative Domain Validation (DV). An EV certificate is issued only after nameservers. The attackers were able to claim five routes used the requestor has proven their legal identity, that the individuals by Amazon’s DNS nameservers and accept traffic destined to that are requesting the certificate are authorized to act on the them on their own infrastructure for around two hours. Although organization’s behalf and that they are responsible for the domain only a small number of ISPs accepted the claim, users on those the certificate is issued for. A DV certificate however requires which did unwittingly send their DNS queries to the attacker’s only that the requestor proves that they are responsible for the infrastructure where they were redirected if they were visiting the domain. myetherwallet.com site. Although in this case users would have In the case where an adversary has control of a domain through had to click through a certificate warning, some reports indicate manipulating NS records or records on the authoritative around $150,000 worth of ether was stolen. nameserver then they can issue DV certificates, often using free services like Let’s Encrypt. This can either be by adding new DNS 5.6 What to do… records to the domain, or by hosting an HTTP resource under a standard URI on the domain. In the face of increasing awareness of these styles of attacks it is important to ensure that DNS infrastructure is safeguarded 5.4 In the wild… against these kind of attacks. Key steps to take are: Talos14 and FireEye15 both published blog posts detailing attacks • Implement two-factor authentication to secure DNS against DNS information which took place in late 2018. The management accounts or other infrastructure used to Talos report detailed the compromise of multiple public-sector modify DNS records. nameservers in the middle east and the issuing of certificates from Let’s Encrypt for those domains, although they were unable • Validate that DNS records are pointing to the correct to determine a precise motivation for the attack. FireEye detailed IP addresses or . a much larger campaign of DNS manipulation where redirected • Search logs for any certificates issued domains with Let’s Encrypt certificates were used to man-in-the- for domains which appear anomalous and revoke if necessary. middle connections to the organizations and extract credentials • Monitor certificate transparency logs for new certificates being for systems. issued and ensure that they are legitimate. In these attacks a wide range of organizations were targeted, including government financial institutions. However, it is assessed that now that these techniques have been widely published the risk of them being leveraged to gain access to valuable information and credentials in other sectors is high.

Authors

Joel Snape Graham Sharples Graham Sutherland Adam Williams Senior Threat Analyst Threat Analyst Senior Vulnerability Research Analyst Researcher

13 14 https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html 15 https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html Contact a cyber expert today

US Head Office +1 212-335-2238 UK Head Office +44 345-52-000-85 [email protected] www.nettitude.com

This report is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute financial, investment or legal advice. Nettitude and its affiliates, directors, employees and/or agents expressly disclaim all liability relating to or resulting from the use of all or any part of this report or any of the information contained herein. No representation or warranty, express or implied, is given by or on behalf of Nettitude as to the accuracy, reliability or completeness of the information or opinions contained in this report. The report contains estimates and opinions which are not a reliable indicator of future events and may prove to be incorrect. Nettitude accept no responsibility for updating the report for events or circumstances that occur after such dates or to update or keep current any of the information contained herein.