DNSpionage Demystified

It seems intriguing on the written page or the silver screen to the average consumer, but when espionage starts to become a reality that affects the identity credentials of millions of people, it changes the perception considerably.

IT turns out that reality is sometimes more interesting (and scary) than fiction. When it comes to a new variation on espionage, all you have to do is look at what happened in the Middle East recently with the introduction of DNSpionage.

What is DNSpionage?

Just when you thought you’ve heard of every new variation of cyberattacks, you are confronted with a new one.  Specifically, the latest treat dubbed DNSpionage has entered the landscape and already paying off for cyber criminals.

A KrebsOnSecurity article titled “A Deep Dive on the Recent Widespread DNS Hijacking Attacks” explains what DNSpionage is:

“The DNS part of that moniker refers to the global “Domain Name System,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.”

So, by hijacking a DNS Server, malicious code can then steal emails and other login credentials by redirecting traffic to an internet address controlled by the cyber criminals.

DNSpionage In Action

Unfortunately, DNSpionage is not just an academic or intellectual discussion of what potentially could happen. It was identified in late 2018 and still a force to be reckoned with. A Dark Reading article titled “New Hacker Group Behind 'DNSpionage' Attacks in Middle East” describes how this malware is distributed and what it does based on the recent Middle East attacks:

“DNSpionage malware is being distributed via Microsoft Office documents hosted on two malicious websites designed to look like the jobs listing pages of two legitimate companies—Wipro and Suncor Energy. The hosted document is a copy of a legitimate file on Suncor's site

The malicious documents contain macros which when run drop DNSpionage on the target system. The malware is a Remote Access Trojan that supports HTTP and DNS communication with the attackers and gets executed when the Microsoft Office document is closed. It appears designed to extract data from the compromised system and send it to the command and control system.”

We’ve written recent on how hackers are targeting entire countries, and this is another example of how to perpetrate harm on a very large scale.

Don’t Be a Victim

In order to protect your organization, you will need a cybersecurity strategy that takes into account identifying and eliminating executable code hidden in what should be innocuous content.  

Choosing only solutions that evaluate every line of code, making well documented evasion techniques ineffective, while being agnostic to file type, client-side application type, or the client operating system used within the organization is the superior technology selection criteria.

Selected solutions should provide protection regardless of operating system, CPU architecture and function (client, server) of the targeted machine.