Recent DNS Hijacking Campaigns Trigger Government ActionUS and UK Agencies Respond to Increasing Attacks
A recent spate of attacks targeting domain name system protocols and registrars, including several incidents that researchers believe have ties to nation-state espionage, is prompting the U.S. and U.K. governments to issues warnings and policy updates to improve security.
See Also: Threat Briefing: Ransomware
The recent alerts and updates issued by the U.S. General Services Administration, which has responsibility for .gov domains, and the U.K. National Cyber Security Center over the last two weeks come at a time when security experts warn that the aging DNS protocol cannot keep up with modern threats and tools designed to hijack internet traffic.
On Wednesday, the GSA plans to start alerting officials who oversee .gov domains when changes are made to those sites' DNS registrar. Meanwhile, British officials have issued a new warning about attacks targeting DNS - the second time this year it has issued such an alert.
DNS Hijacking Is Top Concern
The main concern is DNS hijacking, which involves attackers manipulating records so they can see traffic flowing to a particular website or service. These hijacking incidents can also involve phishing attacks to collect login credentials.
With the right tools, attackers can also set an IP address for a domain name that is different than the legitimate address but is almost impossible for end users to see. In these cases, even if the domain name is typed correctly in a browser, the victim or target is shuffled to the bogus service that may look completely legitimate, especially with a freshly generated Transport Layer Security or Secure Sockets Layer certificate.
A number of new and visible attacks are prompting a closer look at the flaws in the technology, says Kris Beevers, CEO of NS1, an intelligent DNS and internet traffic management technology company based in New York.
"These guidelines from government bodies around the world validate what we in the industry have been advising our customers and businesses for some time," Beevers tells Information Security Media Group. "The use of multifactor authentication and ongoing monitoring of DNS records are basic security measures organizations should be taking to protect their sites and underlying customer data from DNS hijacking attacks."
A Time for Change?
The domain name system protocol acts as a "phone book" for the internet. DNS takes the domain names we use every day and translates them into a numeric code that helps computers find what the user is seeking.
Over the years, the types of attacks that target DNS have increased, with security researchers warning that the DNS protocols, some of which were designed without security in mind, need to be rethought.
At this year's RSA Conference, some security experts called for the more rapid implementation of Domain Name System Security Extensions - DNSSEC - which can help better secure DNS (see: 10 Highlights: Cryptographers' Panel at RSA Conference 2019).
One recent series of complex attacks that caught the attention of researchers at Cisco Talos is attributed to a group known as Sea Turtle, which has been hijacking DNS traffic in Asia, Europe and the Middle East as a part of an ongoing espionage campaign (see: 'Sea Turtle' DNS Hijackers Expand Reach).
"As infrastructure has grown increasingly distributed and complex, DNS has evolved to become more than just the phone book of the internet," Beevers says.
"It is the first stop for all application traffic - the main gateway to the enterprise and therefore an ideal target. Bad actors are recognizing that DNS - from registrar, to authoritative DNS, to recursive - is a relative weak point in the mitigation strategies of enterprises, governments and other organizations relative to the potential malicious impact they can have by attacking DNS. The concern goes beyond just a single threat, like DNS hijacking or DDoS. Attackers are taking advantage of the central role DNS plays in orchestrating all internet and application traffic."
Prompting Government Action
At the start of the year, the U.S. Department of Homeland Security issued a warning that federal agencies were being targeted by attackers looking to manipulate domain name system records (see: DHS Issues More Urgent Warning on DNS Hijacking).
In response to this warning, as well as other concerns, the General Services Administration, which oversees the .gov top-level domain and makes it available to federal, state and local agencies, is starting a new, email-based auto notification systems on Wednesday to alert those officials overseeing government websites when changes are made to the domain name server host names, name server IP addresses or key data associated with DNS, an agency spokesperson tells ISMG.
"The purpose of this proactive auto-notification enhancement is to alert designated .gov domain [point-of-contacts] of DNS information changes to their .gov domain, and to ensure that those were not made in error or maliciously," the GSA spokesperson says.
With .gov websites, there are three points of contact for each site, and all three will now be notified if there's a change to the domain registrar. If the activity appears suspicious, these points of contact can call either the GSA's DotGov Registrar Customer Service or log into the domain registrar to investigate, the GSA spokesperson says.
In other recent government action, on July 12, the U.K. National Cyber Security Center posted an update, noting that researchers have observed an increase in these incidents "with victims of DNS hijacking identified across multiple regions and sectors," according to the alert. The alert did not point to any specific incidents, but it's the second time since January that British authorities have felt the need to alert businesses and the public that these attacks are ongoing and a growing concern.
Chris Morales, head of security analytics at Vectra, a security vendor based in a San Jose, California, tells ISMG that the U.K. and U.S. governments are attempting get agencies to better control who has access to the DNS registrar, which is a challenging task.
"As administrative access to a DNS or website registrar is like any other account, the same set of rules for protecting that account apply as to any other," Morales says. "The best any government can do is to make recommendations on strong privileged account management, which candidly isn't just a DNS problem. Privileged access is the single biggest problem in every organization today - who has access to what and how is that access used."
Other Changes Likely
Government updates and alerts could prompt some business enterprises as well as government agencies to require that their DNS and registrar vendors make DNSSEC and other domain security best practices easier to implement and standardized, Beevers says.
Meanwhile, internet service providers and other are also pushing for new technologies to help secure DNS. Beevers cites the push by Google, via its Chrome browser, to incentivize web traffic that uses TLS encryption.
"Government and regulatory bodies will become more invested in change, especially given the national security implications of many of these attack models, which have targeted government bodies," Beevers says.