Eye of newt, and toe of frog,
Wool of bat, and tongue of dog,
Adder’s fork, and blind-worm’s sting,
Lizard’s leg, and howlet’s wing,–
For a charm of powerful trouble,
Like a hell-broth boil and bubble.
-Macbeth, Act IV, Scene I
Macbeth’s witches have nothing on today’s hackers when it comes to evil intent and perverse cleverness.
According to threat researchers at Infoblox partner FireEye, an as-yet-unidentified group of cybercriminals that uses spear-fishing to compromise systems and then uses malware to steal sensitive information has been thinking out of the box.
These particular attacks revealed an alarming escalation in the sheer ingenuity of the hacking community. One ingredient of the hacker’s brew was a free service from Google called “Google Developer” (previously “Google Code”), and this is not the first time that services such as Google Cloud Messaging and Google Drive have been used in hacking attacks.
But this time Google was only one of many ingredients. The attacks also incorporated a legitimate digital certificate from a police mutual aid association; the Kaba RAT; DNS services from Hurricane Electric, an ISP in California (hence the name “Poisoned Hurricane”); and infected clients at other ISPs in the United States and Asia, an Asian financial institution, and Asian government organizations.
In this multi-victim attack, Google and Hurricane Electric became unwilling accomplices, used by the attackers as switching stations to redirect traffic that appeared to be headed toward legitimate domains such as adobe.com and outlook.com.
The attackers took advantage of the fact that Hurricane Electric’s domain name servers were configured to allow anyone to register for a free account, register a DNS zone, and create records to point to any IP address—in this case, the hackers’ command and control servers. Subsequently, it was revealed that anyone could register for a free account with Hurricane Electric’s hosted DNS service. Via this service, anyone with an account was able to register a zone and create A records for the registered zone and point those A records to any IP address they so desired. The dangerous aspect of this service is that anyone was able to hijack legitimate domains such as adobe.com. Although these nameservers are not recursors and were not designed to be queried directly by end users, they were returning results if queried directly for domains that were configured via Hurricane Electrics public DNS service. Furthermore, Hurricane Electric did not check if zones created by their users were already been registered or are otherwise legitimately owned by other parties.
FireEye detected the attacks in March of this year and notified Google and Hurricane. But this new technique presents a significant danger going forward. Many IT organizations still rely on passive visual inspection of URLs to make sure connections are valid—and that won’t help to detect the Poison Hurricane attack.
This reiterates the need to secure the infrastructure and follow best practices around the core servcies like DNS. Services like FireEye’s worldwide sensor network and Infoblox’s Malware Data Feed, and solutions like the Infoblox DNS Firewall – FireEye Adapter, are the best available way to actively combat increasingly insidious malware attacks.