Share this article on:
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has issued an emergency warning about DNS hijacking attacks. All government agencies have been instructed to audit their DNS settings in the next 10 days.
CISA reports that hackers have been targeting government agencies and modifying their Domain Name System records. DNS records are used to determine the IP address of a website from the domain name entered into the browser. By modifying the DNS records, web traffic and email traffic can be re-routed.
This method of attack allows sensitive data to be stolen without compromising a network and users are unlikely to be aware that their communications have been intercepted. Re-routed emails are likely to go unnoticed and web traffic could be re-routed to identical copies of legitimate sites. Since those sites have TLS/SSL certificates, no warning would be triggered by browsers.
DNS attacks allow hackers to gather information about the websites visited by users and the information could be used in phishing campaigns. The attacks appear to be concerned with obtaining domain and login credentials.
The DNS attacks are not limited to the United States. Attacks have also been observed in the Middle East, North Africa, and Europe by FireEye and Cisco Talos researchers. The DNS hijacking campaign is extensive and many of the attacks have succeeded. Several executive brand agency domains have been impacted by the attacks. Those agencies have been notified by DHS but the campaign, but further attacks can be expected.
While the individuals behind the attacks have not been identified the campaign appears to be linked to Iran.
DHS has issued a four-step plan that must be enacted in the next 10 days.
- Audit all .gov and agency-managed domains on authoritative and secondary DNS servers and ensure that they direct traffic to the intended location. NS records and those associated with key agency services should be prioritized. If DNS changes are discovered, they must be reported to CISA.
- All federal agencies have been instructed to change DNS account passwords on accounts that can make changes to the agency’s DNS records. New unique, complex passwords should be set.
- All DNS accounts that can make changes to DNS records should have multi-factor authentication enabled. If MFA cannot be enabled on systems, CISA must be notified.
- CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service in the next 10 days. CT logs must be immediately monitored for certificates that have been issued that have not been requested by the agency. If logs are found to be inaccurate, they must be reported to CISA.
Any agency that discovered anomalous DNS records will be provided with technical assistance by CISA.
A status report must be submitted to CISA by January 25, 2019 and a completion report must be submitted to CISA by February 5, 2019 confirming the above four steps have been implemented.