Severity

High

Analysis Summary

“Sea Turtle” DNS hijacking campaign and their continuing efforts to compromise victims. The operators behind the campaign have adopted a new DNS hijacking technique that involves modifying the target domain’s name server records to point legitimate users to the actor-controlled server. Once in control of the victim’s DNS, the attackers redirect their traffic to malicious websites and email servers. This would facilitate a man-in-the-middle attack against the victim or potentially allow the attacker to harvest credentials.

Impact

DNS hijacking

Indicators of Compromise

IP(s) / Hostname(s)

• 185[.]64[.]105[.]100
• 178[.]17[.]167[.]51
• 95[.]179[.]131[.]225
• 140[.]82[.]58[.]253
• 95[.]179[.]156[.]61
• 196[.]29[.]187[.]100
• 188[.]226[.]192[.]35
• 45[.]32[.]100[.]62
• 95[.]179[.]150[.]101

URLs

• ns1[.]intersecdns[.]com
• ns2[.]intersecdns[.]com
• ns1[.]rootdnservers[.]com
• ns2[.]rootdnservers[.]com

Remediation

• Search for these IOC’s in your respective environment.
• Block all threat indicators at your respective controls.