What is the threat?
An attack campaign called DNSpionage – first detected in November 2018 – has recently resurfaced with new attack vectors and methodologies. This attack campaign redirects users via unauthorized DNS modification to malicious versions of job posting websites that utilize Suncor and Wipro job posting platforms. Login credentials from several government entities and private organizations located in the Middle East have been stolen; and the U.S. Department of Homeland Security has issued an alert to warn its users about this threat activity.
Why is this noteworthy?
The original exploit used a form of attack known as DNS Redirection. The Domain Name System (DNS) is used to transform the URL typed into a browser into an Internet Protocol (IP) address used to identify and locate a server online. By manipulating DNS records, threat actors were able to redirect user traffic from the legitimate job posting sites to fake versions of these sites that are controlled by the threat actors. Since job seekers provide usernames, passwords, government identification numbers and other sensitive information as part of online job applications, this data can be harvested by the threat actors. Additionally, a Microsoft Word document crafted to contain malware is offered for download as part of the job screening process, which will then infect the job seeker’s computer. DNSpionage attacks are once more noteworthy as they now include sophisticated checks to determine if the user is part of a cybersecurity defense team. Current threat attempts are believed to check for the presence of a “honeypot” – a system purposely designed to monitor and identify threat activity.
What is the exposure or risk?
The risk for this threat is twofold: harvesting of sensitive and personal information via the job site itself, and the infection of the user’s computer via the poisoned document downloaded as part of the job screening process. Information entered into the fake site is immediately harvested by the threat actor. The document contains a series of commands including a WMI (Windows Management Interface) command designed to seek known cybersecurity toolsets to determine if the user is a cybersecurity defense team member. If no such toolsets are found, the malware in the poisoned document then harvests and transmits additional information directly from the user’s computer to the threat actor.
What can you do?
If your organization uses a job posting system from Suncor or Wipro, an immediate check of DNS systems should be performed to ensure no unauthorized modification has occurred. If modification is detected, a notification may have to be sent to job seekers to investigate the potential that their information has been harvested and that their computers may be at risk. For employees who may have interacted with these systems after DNS modification is detected, the Talos Intelligence article referenced below has details on how to determine if an infection took place by searching for the text-based log files left behind by the malware on users’ computers.
To contain the possible reach of this threat, SKOUT recommends the following:
· Use multi-factor authentication wherever supported.
· Create strong passwords for all accounts and ensure each password is unique to each website and service used.
· Ensure anti-malware solutions are installed and up-to-date.
· Employ behavior-based detection methods such as SKOUT Endpoint Protection and SKOUT Security Monitoring.
· Manage and regularly maintain DNS systems used by the organization.
References
For more in-depth information about the recommendations, please visit the following links:
· https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html?m=1
· https://www.zdnet.com/article/dnspionage-campaign-releases-new-karkoff-malware-into-the-wild/
· https://krebsonsecurity.com/tag/dnspionage/
If you have any questions, please contact our Security Operations Center.