Researchers at Cisco's Talos Cybersecurity Unit have uncovered a new group of hackers who have been attacking 40 giant government, intelligence, telecommunications and internet services in 13 countries for more than two years. This new campaign, however, has some similarities to DNSpionage, which redirects users to legitimate websites. To allow them to steal your passwords, the researchers assessed with high confidence that the "Sea Turtle" campaign was a separate new operation. Sea Turtle targets businesses by hijacking their DNS by pointing a target's domain name to malicious networks. The spoofing technique used by the hackers behind the campaign exploits long-standing DNS vulnerabilities that can be used to trick unsuspecting victims into imputing their identity information to fake login pages. Sea Turtles Sea Attacks Turtles work first by engaging a target using the harpoon to establish a foot in their web. Known vulnerabilities are used to target servers and routers to move laterally within the company network to obtain network-specific passwords. This identifying information is used to point to an organization's DNS registry desk when updating their records so that their domain name points to their IP address and to a server. Controlled by pirates. Hackers then use an eavesdropping operation to borrow the identity of the login pages and obtain additional credentials to move it to a company's network. By using their own HTTPS certificate for the target domain, attackers can give the impression of authenticity to a malicious server. According to Talos, the hackers used this technique to compromise the Swedish DNS provider Netnod, as well as one of the 13 root servers that power the global server. DNS infrastructure. Hackers were also able to gain access to the registry office that manages Armenia's top-level domains using a similar tactic. Though Talos didn't reveal what state lies behind the group, his researchers say the tortoise is "highly capable." provided mitigation instructions in a blog post, stating "Talos suggests using a registry lock service, which will require an out-of-band message before changes can be made to it." DNS record of a company. If your registrar does not offer a registry lockout service, we recommend that you implement multi-factor authentication, such as DUO, to access your company's DNS records. If you believe you have been subjected to this type of intrusion activity, we recommend that you set a password reset at network scale, preferably from within the network. a computer on an approved network Finally, we recommend that you apply patches, especially to computers connected to the Internet. Network administrators can monitor passive DNS records in their domains for anomalies.