This week, Cisco’s Talos Intelligence Group revealed that researchers discovered a new spyware campaign, dubbed “DNSpionage,” which targeted individuals and government websites in the UAE and Lebanon. Additionally, the attackers also targeted Lebanese private companies, such as Middle Eastern Airlines (MEA). Though the researchers were not able to determine the identity of the attackers, they are convinced that this is a targeted operation.
The attackers embarked on two distinct campaigns hosted on some of the same servers. In a spearphishing attack, the hackers circulated links with fake job listings, which contained word documents with fake job descriptions. When targets downloaded these documents, they ran malicious code. The researchers were not able to determine whether the targets received spearphishing links through email, LinkedIn, or another social media platform. Because the malware “supports HTTP and DNS communication with the attackers,” the researchers dubbed the campaign “DNSPionage.” Effectively, DNS protocol links a specific IP address to a name. For instance when you visit smex.org a DNS request manages to grab the IP associated to smex.org to make it possible to deliver the web page through HTTP. Altering DNS requests can redirect a domain name to another unofficial IP address, and can also allow the hackers to gain access to visitors’ credentials.
In the second part of the campaign, the attackers redirected legitimate government-owned domain names, including those operated by the Lebanese Ministry of Finance, Middle Eastern Airlines, and the UAE’s Telecommunications Regulation Authority (TRA). According to the report, the attackers targeted mail hosting sites: webmail[.]finance[.]gov[.]lb and memail[.]mea[.]com[.]lb. Though the researchers are not exactly certain what information the attackers might have obtained, they posited that the attackers may have targeted email and VPN traffic to collect email usernames and passwords as well as VPN credentials. Because the attackers were able to redirect government-owned domain names, it is possible that the DNS-entry of the Ministry of Finance’s server was compromised.
At this time, SMEX recommends that anyone with an email registered on the Ministry of Finance’s mail server or at MEA Airlines change their password for all accounts, especially if it the password is used elsewhere. We will continue to cover the story as more details emerge.
Ragheb Ghandour is a PhD Student at Mines ParisTech France. He is a computer scientist with a Masters degree in Information Systems for Risk Management and a cybersecurity enthusiast. He mainly focuses on human-error in cybersecurity and the rights to online free expression and privacy.