DHS Issues More Urgent Warning on DNS HijackingGovernment Agencies Should Audit DNS Settings Within 10 Days
The U.S. Department of Homeland Security says executive branch agencies are being targeted by attacks aimed at modifying Domain Name System records, which are critical for locating websites and services.
On Tuesday, DHS issued an emergency directive giving government agencies 10 days to verify that their DNS records are accurate. That directive comes after a "series" of incidents that have redirected internet and email traffic, the agency says.
DHS's Cybersecurity and Infrastructure Security Agency "is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them," the directive says.
Cyberattacks that target DNS systems are particularly powerful. Modifying a DNS record can allow an attacker to see traffic flowing to a particular website or service or mount effective phishing attacks to collect login credentials.
It's also possible to set a different IP address for a domain name than the legitimate IP address, a clever ruse that is nearly undetectable to end users. Even if the domain name is typed correctly in a browser, the victim is shuffled to the bogus service that may look completely legitimate, especially with a freshly generated TLS/SSL certificate.
The warning comes amid a partial government shutdown that is stretching into its second month with no resolution in sight. While critical cybersecurity monitoring services are running, experts say a prolong shutdown will invariably have a long-term effect on readiness (see: Government Shutdown: Experts Fear Deep Cybersecurity Impact).
DNS Attacks: Back in Style
The upgraded warning comes after FireEye and Cisco's Talos intelligence unit noticed an uptick of DNS-related attacks, particularly in the Middle East.
Earlier this month, FireEye wrote about a wave of DNS hijacking attacks "affecting government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America."
The attackers aimed to compromise DNS records in order to eventually capture login and domain credentials, FireEye writes. Although it wasn't able to identify the attackers, its research "suggests the actor or actors responsible have a nexus to Iran."
"This campaign has targeted victims across the globe on an almost unprecedented scale with a high degree of success," FireEye says. "This type of attack is difficult to defend against, because valuable information can be stolen, even if an attacker is never able to get direct access to your organization's network."
A day after FireEye's blog post, DHS issued its first warning about DNS hijacking. In November 2018, Cisco's Talos wrote about the same style of attack, also in the Middle East.
Lebanon's Finance Ministry saw its email redirected as a result of a malicious DNS attack, according to a Talos blog post. Also in the UAE, Talos found that a law enforcement agency, the Telecommunication Regulatory Authority and Middle East Airlines, a Lebanese carrier, were struck by similar attacks.
The redirection destinations all carried digital certificates that the attackers generated from Let's Encrypt, the not-for-profit project dedicated to increasing the use of TLS/SSL certificates, Talos writes. Generating a fresh digital certificate for the redirected domain help ensure there is no warning from the browser that a service lack encryption that would raise suspicions.
The attacks appeared aimed at intercepting email and VPN traffic and perhaps credentials for those services, Talos says. The perpetrator was "an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up any time soon," the company reports.
Call to Action
CISA is recommending that government agencies check all authoritative and secondary DNS servers to ensure that A records, mail exchange and name server settings are accurate.
One of the common ways attackers can change records is by snagging the login credentials for DNS accounts. CISA recommends that those passwords be changed.
A DNS hijack "is difficult to defend against, because valuable information can be stolen even if an attacker is never able to get direct access to your organization's network."
CISA is also mandating that two-factor authentication be enabled for those accounts. If that can't be done, CISA wants agencies to report "the names of systems, why it cannot be enabled within the required timeline and when it could be enabled."
It also recommends that the two-factor codes not be sent over SMS, as recommended by NIST, because attackers could attempt to hijack a phone number through a fraudulent port (see: Gone in 15 Minutes: Australia's Phone Number Theft Problem).
The other important tip is to monitor Certificate Transparency logs for new certificates that have been created for government domains. That's one way to detect something strange is afoot.
"Upon receipt, agencies shall immediately begin monitoring CT log data for certificates issued that they did not request," CISA says. "If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA."