DUBAI 19 April 2019: A major web attack is currently hitting a country in the Middle East, according to web security firms.
The cyberattack began with a delivery document sent to organizations in a single Middle Eastern country via an email on March 27, 2019. This email appeared to originate from a large financial institution in the same country, although it was likely spoofed. The subject of the email was “Your account is locked.” This initial delivery document was sent to organizations in one Middle Eastern country, specifically to organizations in the education, media/marketing, and government verticals, says Unit 42, the global threat intelligence team at Palo Alto Network.
Four days later on March 31, Unit 42 saw the same delivery email sent to a financial organization in a second Middle Eastern country. Unit 42 later discovered that this delivery document was just one of many in a larger campaign sent to organizations in the United States, Europe and Asia targeting the same verticals as in the Middle East as well as Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business.
John Hultquist, Director of Intelligence Analysis at FireEye, said FireEye is currently tracking several clusters of activity responsible for the manipulation of DNS records. This is the activity leveraging the malware we call TWOTONE and TALOS calls DNSpionage.
We have observed this technique used by actors of many different skill levels to support espionage, crime, hacktivism and other motives, and we anticipate that more actors will adopt this technique in the near future. Additionally, though a great deal of the described by TALOS focuses on the Middle East and North Africa, there is no reason to assume DNS manipulation will remain limited to any region