As the situation on the ground in Syria continues to deteriorate, the Syrian Electronic Army (SEA) has made quite a few waves by conducting an attack against the Domain Name System (DNS) infrastructure of several high-profile targets. CrowdStrike has received quite a few inquiries regarding these attacks, which have received the full attention of the media and security community. There has been much confusion and conjecture around the effects of this attack and the full extent of what happened. Some sources have been reporting that malware was delivered via the redirect of a prominent media outlet, while others are claiming that the DNS system is completely vulnerable. This blog post written with the help of Norm Ritchie Director, DNS Intelligence will seek to clarify what CrowdStrike believes is a reasonable sequence of events that have transpired, what this all means, and what are the best practices around protecting your DNS infrastructure.

Syrian Electronic Army

The Syrian Electronic Army is tracked using the CrowdStrike adversary designator DEADEYE JACKAL and is likely composed of several key members operating in support of the current Syrian President Bashar al-Assad. This adversary is best characterized by attacks over the last two years that have generally leveraged spear phishing attacks at social media representatives of prominent organizations, and large highly visible media outlets. These attacks have resulted in pro-Assad regime propaganda, messages aimed at causing confusion or panic, and simple defacements. There have also been some limited indications of “leak” type activity related to various unauthorized disclosures from the State of Qatar (a supporter of the anti-Assad forces).

http://www.bbc.co.uk/news/education-15061377

The pro-Assad messaging has been observed in Facebook spamming campaigns, various web page defacements, and tweets from compromised accounts. The above image from a 2011 attack against Harvard University typifies the type of pro-regime messaging that has been typical of DEADEYE JACKAL over the last two years.

http://money.cnn.com/2013/04/23/investing/stocks-markets/index.html

Confusion and panic can best be summed up in the noticeable drop in the above graph stemming from the April takeover of the Associated Press twitter account. This hijacked account was used to tweet about an alleged incident at the White House involving an attack that supposedly injured the President of the United States. This tweet is largely credited with dropping the Dow Jones one percent and eliminating some 200 billion dollars from the market (http://rt.com/news/syrian-electronic-army-ap-twitter-349/).

Web page defacements have been another common approach for DEADEYE JACKAL members and that is likely where they began to cut their teeth.

The use of web defacements is a common tactic amongst hackers who are seeking visibility and to deliver political or activist messaging. In the case of this adversary, many of the defacements credited to DEADEYE JACKAL members such as “SyRiAn GhOsT” have no real messaging but are simply calling cards the equivalent of digital graffiti. Many of these defacements date back as far as 2008, indicating this adversary has been learning and honing skills for a number of years.

Recent Attack

In the most recent attack, the domain of at least one major media outlet and several of a popular social networking service were redirected to an adversary-controlled server located in the Russian Federation. This redirection, depending on load, either displayed an adversary-controlled site or was unavailable. This attack reportedly leveraged a spear phish to gain access to an account that enabled the adversary to arbitrarily redirect the domain name from the registrar to a web server of the adversaries’ choosing. There is no more effective way to take a target off the Internet than to hijack its domain and redirect it someplace else. The following section will enumerate protections to ensure your domain is securely registered and following domain security best practices.

Registrar and Registry Locks – If you got ‘em, use them

There are two important entities in the domain registration world: registrars and registries. Registrars are the companies that you deal with directly when you register your domains. They offer registrations in multiple top-level domains (TLDs) such as com, net, org, us, and uk; provide DNS services for your domains; and often provide other services such as web hosting and email.

Registries operate the top-level domains such as com, net, org, us, and uk, and they provide DNS services for the TLD. The registry is like an overlord for a TLD — each TLD has one and only one registry operator. When you register a domain name, unseen to you is that the registrar communicates with the registry to request the new domain within the particular TLD. This one-registry-per-TLD structure is necessary to ensure uniqueness of domain names.

So why is this important?

In the events of this week, the SEA was able to gain access to the target accounts at the registrar and change the DNS settings for the domain names. Registrars offer an option called “registrar lock,” which prevents the unauthorized transfer of your domain names, but it does little in the case where your registrar account is compromised. If your registrar doesn’t offer strong account authentication, consider using “registry lock.” Registry locks prevent the registrar from updating the DNS records. So if your registrar account is compromised, the DNS records cannot be changed unless the registry lock has also removed. It is a bit more inconvenient for you, but DNS changes are infrequent so it’s well worth the additional effort.

DNS — the lifeblood of your domain

While we are discussing domain names and DNS, it is important to consider just how important the DNS is to your online presence.

DNS is the phone book of the Internet. Everything you do on the Internet uses the DNS, and that is why the DNS is often the target of the DDoS attacks. If an adversary can overwhelm the authoritative DNS servers associated with your domain name, then they can effectively take you offline and render your domain names unreachable. So when you choose your TLD (registry) and second-level domain names (registrar), consider the robustness of their DNS infrastructure and their resiliency to DDoS attacks.

If you have any questions about protecting your domain names, DNS or want to hear more about DEADEYE JACKAL and their tradecraft, please contact: intelligence@crowdstrike.com.