Sophisticated operation preyed on high-value targets
The threat intelligence group said the malicious actors were sophisticated because they had been remained undetected in their victims’ network despite launching five attacks so far this year in two separate operations.
One of the operations, which hit unidentified users in each country, imitated job posting websites in order to deliver malware that Talos has dubbed ‘DNSpionage’.
DNSpionage, Talos said, is a remote administration tool (RAT) that gives the attacker control of a system after delivering a payload through a malicious Microsoft Office document.
The malware an obscure data exfiltration method known as DNS (Domain Name System) tunnelling to communicate back to the attacker.
“The attackers most likely sent the malicious document via email as part of a spear-phishing campaign, but it also could have circulated via social media platforms, such as LinkedIn, in an attempt to legitimize the opportunity for a new job,” Talos said in its report.
A second campaign, which ran between September and November of this year, utilized a DNS hijacking attack to target government and private domains, including Lebanon’s Finance Ministry, the Telecommunication Regulatory Authority and a police college in the UAE, and Middle East Airlines, the Lebanese flag carrier.
The attackers were able to compromise these domains, among others, and redirect users to a malicious IP address. Fraudulently-obtained Let’s Encrypt certificates were used to add legitimacy to doppelganger domains.
While it remains unclear how successful these attacks were, they would have allowed all traffic sent to the original domains to be intercepted.
“Because the attackers targeted email and VPN traffic specifically, they may have been used to harvest additional information, such as email and/or VPN credentials,” Talos said, adding that the threat actors had very likely spent a significant amount of time studying their targets, possibly from within, although no “direct correlation of infrastructure, staff, or job routines” was found.
“We are highly confident that both of these campaigns came from the same actor,” Talos said. “However, we do not know much about the location of the actors and their exact motivations.”
The race to digitization has put Middle Eastern countries increasingly under threat of cyber-attack, with 2.8 million instances of ransomware hitting the UAE in the first quarter of 2018 alone.
As Middle Eastern countries work at diversifying their economies away from heavy reliance on oil and gas, the regional cybersecurity market is projected to reach over $20 billion by 2022.
The IT spending boom has been accompanied by examples of nefarious use of technologies.
Just this week, Haaretz, an Israeli publication, confirmed that NSO Group had struck a deal with the Saudi government to use its controversial Pegasus spyware in order to squash opponents to the current regime, including the recently assassinated journalist Jamal Khashoggi.
Amnesty International is calling for NSO Group’s export license to be revoked after it was revealed that its technology was being used to spy on the non-governmental organizations work in Saudi Arabia.
“By continuing to approve of NSO Group, the [Israeli] Ministry of Defence is practically admitting to knowingly cooperating with NSO Group as their software is used to commit human rights abuses,” Amnesty said in a statement.
The Daily Swig has reached out to Cisco Talos and Middle East Airlines for comment.