Hijacking the internet and more news of the week

DNS hijackers attempt to undermine the entire infrastructure of the internet… and that’s just one exploit by this week’s bad guys.

Sea Turtle hijacks the internet

A hacker group that experts believe might be backed by a nation-state has been targeting big fish in the internet infrastructure world. Sea Turtle, as the group is nicknamed, launched cyberattacks against 40 government agencies, telecom companies, and internet titans across 13 countries for more than  two years using DNS hijacking, an advanced technique that reroutes users from their intended websites to a malicious server.

Because the targets include foreign ministries and intelligence agencies as well as internet root servers, it looks as though Sea Turtle’s prime directive is espionage. Among the top-level domains infiltrated are Saudi Arabia’s .sa and Armenia’s .am. The attacks begin with a spear phishing attempt, which gives the hackers an entry to the corporate network. From there, they seek vulnerabilities and exfiltrate credentials. Those credentials are then used to update the DNS registrar’s records so the domain name points to the server of the hackers’ choosing. The group has so far been successful in its attacks, and cybersecurity experts urge companies to begin using DNSSEC, a domain name system that uses encryption.

Fake ads pop malware into iOS sessions

A threat group known as eGobbler has launched eight different “malvertising” campaigns, appearing in an estimated half-billion user sessions over the course of a week. The group infected landing pages hosted on the .world domain, which in turn pushed out malicious pop-up ads to users. eGobbler’s malware takes advantage of a Chrome for iOS vulnerability that bypasses its pop-up blocker. The malware is also devious enough to circumvent standard ad sandboxing techniques that legitimate advertising servers would use to test the file. Cybersecurity researchers estimate the malicious pop-up attacks are one of the three largest malvertising campaigns in the past 18 months. On April 14, the campaign desisted on the .world servers and began on the .site servers.

‘The Nasty List’ soils Instagram

A phishing scam making the rounds on Instagram informs users that they have appeared on an alleged “Nasty List.” The scam is spread through hacked accounts which are used to send messages to followers, attempting to alarm them with a message such as “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.” When users visit the sender’s profile, they see more urgent statements (with more bad grammar) that they are on the supposed list as well as a malicious link purported to be the actual “Nasty List” itself. If users take the bait and click the link, they are taken to a spoofed Instagram log-in page, where they are prompted to re-enter their credentials. Once they do that, the cybercriminals have the data and can begin taking over the users’ accounts. All IG users who receive messages mentioning “The Nasty List” are advised to delete the message and unfollow the sender’s profile. Instagram gives guidance here.

Group spear-phishes the Ukrainian military

The Ukraine is so besieged by cyberattacks that it can almost seem as though the nation’s network is a testing ground for malware campaigns. But a recent campaign looks to be targeting the country itself for reasons of espionage. The spear-phishing emails purport to be from a defense contractor in the United Kingdom, looking to follow up on a meeting to discuss “cooperation with Ukrainian partners.” Malicious files are attached to the emails, disguised as documents. When victims download them, the malware triggers a second payload of malware to be delivered by its C2 (command and control). The second round of malware focuses on monitoring the Ukrainian military networks. A group based in the Luhansk People’s Republic, a region that declared independence in 2014, is suspected to be behind the attack, though it is as yet unconfirmed.

Avast evangelist sees a theme of the week

Luis Corrons, a security evangelist at Avast, notes that “Three of the four pieces of news this week have one thing in common: The starting point is a phishing attack. It does not matter whether our Instagram account or a nation’s military network is the target. At the end of the day attackers will need our credentials. Two-factor authentication (2FA) is the key to protecting ourselves. If we have this feature activated, even if the attackers have our Instagram username and password, they won't be able to access our account.”

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.

--> -->