Content

Iranian actors possibly behind DNS attack: FireEye

A tentative connection has been made to Iranian-inspired actors for a wave of DNS attack being conducted against targets in Middle East and North Africa, Europe and North America.

FireEye’s Mandiant Incident Response and Intelligence teams tempered its belief that Iran is behind the attacks noting work continues on attribution, but enough evidence exists for the team to give moderate confidence the attacks stem from persons based in Iran.

“FireEye Intelligence identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyberespionage actors. The entities targeted by this group include Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value,” the report said.

The organizations being targeted are telecoms, ISPs, internet infrastructure providers, government and commercial entities. The campaign ran from January 2017 to January 2019 and used multiple, non-overlapping clusters of actor-controlled domains and IPs and a wide range of providers were chosen for encryption certificates and VPS hosts, FireEye said.

FireEye was unable to specify the exact attack vector used against each target and said there is a possibility multiple vectors were used in each case, but a few clues were available to shed some light on the issue.

“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account,” the report said.

In November Cisco Talos reported on what is likely one aspect of this campaign when it came across attacks targeting Lebanese and the United Arab Emirates .gov domains. The attackers gained initial entry using two fake job-oriented websites and malicious Microsoft Office documents with embedded macros, Cisco Talos wrote at the time.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.