FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success. We have been tracking this activity for several months, mapping and understanding the innovative tactics, techniques and procedures (TTPs) deployed by the attacker. We have also worked closely with victims, security organizations, and law enforcement agencies where possible to reduce the impact of the attacks and/or prevent further compromises.
While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale. The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways.
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-ca... Al di là della dimensione e della presunta origine, vengono adottate tecniche piuttosto semplici (anche se non così semplici quanto iniettare malware JS in un sito web...) e ben note. La cosa interessante è l'uso di Let's Encrypt (progetto del consorzio LinuxFoundation) per costruire l'attacco Man in the Middle alla radice di 2 delle 3 tecniche adottate. E' interessante (e a suo modo divertente) perché il selling point di Let's Encrypt è prevenire gli attacchi MitM attraverso l'adozione di massa di TLS! :-) Ora cosa è più sicuro? - SAPERE di comunicare su un canale pubblico e comportarsi di conseguenza, o - CREDERE di comunicare attraverso un canale riservato e comportarsi di conseguenza? Sul tema dei trade off da considerare: https://medium.com/berkman-klein-center/the-uncertain-effects-of-https-adopt... https://meyerweb.com/eric/thoughts/2018/08/07/securing-sites-made-them-less-... Giacomo