Cyberespionage Implant Delivered via Targeted Government DNS Hijacking
Threat hunters at Kaspersky have intercepted a new cyberespionage implant being delivered via targeted DNS hijacking of government zones in Eastern Europe and published a new report Wednesday with clues linking the malware to the SolarWinds attackers.
The Russian security vendor said the newly discovered malware — called Tomiris — contains technical artifacts that suggest the possibility of common authorship or shared development practices with the group that executed the SolarWinds supply chain compromise.
The company documented the findings in a research paper that provides evidence of an advanced DNS hijacking technique used to surgically replace webmail login pages on the fly to hijack government usernames and passwords.
The DNS hijacking was observed on several government zones of an unidentified CIS member state — guesses are Kyrgyzstan or Kazakhstan — and allowed the threat actor to redirect traffic from government mail servers to attacker-controlled machines during specific time periods.
From the Kaspersky report:
During these time frames, the authoritative DNS servers for the zones above were switched to attacker-controlled resolvers. These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims.
While the malicious redirections were active, visitors were directed to webmail login pages that mimicked the original ones. Due to the fact that the attackers controlled the various domain names they were hijacking, they were able to obtain legitimate SSL certificates from Let’s Encrypt for all these fake pages, making it very difficult for non-educated visitors to notice the attack – after all, they were connecting to the usual URL and landed on a secure page.
The researchers believe the credentials entered into the webpages were siphoned up by the attackers and reused in subsequent stages of a larger compromise.
“In some cases, they also added a message on the page to trick the user into installing a malicious ‘security update’,” the researchers noted, warning that the link leads to an executable file with the new backdoor.
Once installed on a machine, the Tomiris backdoor continuously queries a command-and-control server for additional executable files to execute on the compromised system.
Kaspersky has previously connected the SolarWinds attack code to a known Russian threat actor and is now calling on external threat-intel researchers to help reproduce the results.
The exposure of Tomiris — and the potential link to SolarWinds — comes just days after Microsoft issued a public advisory for FoggyWeb, a new piece of malware used by the SolarWinds (Nobelium) attackers.
FoggyWeb has been described by Microsoft as a post-exploitation passive backdoor that the hackers have been using to remotely exfiltrate sensitive information from compromised Active Directory Federation Services (AD FS) servers. The backdoor is persistent and highly targeted.
The threat actor has been observed launching attacks even after its operations were exposed following the discovery of the SolarWinds breach. In June, Microsoft warned that the hackers had continued to conduct operations aimed at IT companies, with targets identified across 36 countries.