The Department of Homeland Security on Tuesday issued an emergency directive instructing federal government agencies to take preventative measures against an ongoing DNS hijacking campaign that has recently affected several executive branch domains.
Cisco Systems’ Talos research unit first reported on the DNS infrastructure tampering in November 2018. The attacks, which FireEye has tentatively attributed to Iran-sponsored actors, have hit targets not only in North America, but also in Middle East and North Africa and Europe.
In a typical scenario, the attackers compromise or steal credentials that allow them to access a specific organisation’s DNS records. They then modify those records by replacing the organisation’s legitimate website address with a malicious address, where unsuspecting site visitors will be redirected. The perpetrators also obtain valid encryption certificates for the target’s domain names, which allows them to decrypt any sensitive data that gets redirected to them.
In response, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 19-01, which orders federal agencies to audit their public DNS records for all authoritative and secondary DNS servers to ensure users are directed to the correct online destination. To further mitigate risk, agencies are also to change DNS account passwords, add multi-factor authentication as a security feature. Agency officials have until 5 February to comply.
The directive also states that within 10 business days, CISA will "begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains…" Agencies must then respond by monitoring CT log data for any unauthorised certificates.
In turn, CISA will provide technology assistance to agencies that discover any anomalous DNS records.
This article was originally published on SC Media US.