DNS on fire

Presented at VB2019, Oct. 2, 2019, 2:30 p.m. (30 minutes)

*Cisco Talos* identified malicious actors targeting the DNS protocol successfully for the past several years. In this presentation, we will present two threat actors we have been tracking. The first one developed a piece of malware, named DNSpionage, targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. We identified multiple countries targeted by this redirection. On 22 January 2019, the US DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. The second actor is behind the campaign we named 'Sea Turtle'. This actor is more advanced and more aggressive than the previous one. They do not hesitate to directly target registrars and one registry. The talk will present the two actors and the methodology used to target the victims.

Presenters:

• Paul Rascagnères - Cisco Talos   as Paul Rascagneres
  Paul Rascagneres Paul is a security researcher within Cisco Talos, Cisco's threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for seven years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistent Threat campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors. @r00tbsd
• Warren Mercer - Cisco Talos
  Warren Mercer Warren Mercer joined Cisco Talos coming from a network security background, having previously worked for other vendors and the financial sector. Focusing on security research and threat intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career, ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps! @SecurityBeard

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/dns-fire
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-MercerRascagneres.pdf
• https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-dns-fire/

Similar Presentations:

• 33C3 (2016) / Million Dollar Dissidents and the Rest of Us: Uncovering Nation-State Mobile Espionage in the Wild
• REcon 2018 / Cloudy With a Chance of Malware: Analyzing the Links Between KASPERAGENT and Cloudy Malware
• VB2016 / The Good, The bad & The Ugly: The Advertiser, the Bot & the Traffic Broker