U.S. Government Issues Urgent Warning of DNS Attacks

/in , , /by

An emergency directive from the Department of Homeland Security provides “required actions” for U.S. government agencies to prevent widespread DNS hijacking attacks.

The Department of Homeland Security is ordering all federal agencies to urgently audit Domain Name System (DNS) security for their domains in the next 10 business days.

The department’s rare “emergency directive,” issued Tuesday, warned that multiple government domains have been targeted by DNS hijacking attacks, allowing attackers to redirect and intercept web and mail traffic.

“[The Cybersecurity and Infrastructure Security Agency] (CISA) is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them,” said the alert.

The warning comes on the heels of a Jan. 10 FireEye report which detailed a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa.

The Attacks

DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer’s transmission control protocol/internet protocol (TCP/IP) settings – generally by modifying a server’s settings.

The DHS, for its part, said that the attacker begins by logging into the DNS provider’s administration panel using previously-compromised credentials.

The attacker then alters DNS records – including the address mail exchanger or name server records – and replaces the legitimate address of a service with their own address controls, thus redirecting traffic. Attackers can also alter and tamper with the traffic flows.

“This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose,” said the DHS in its advisory. “This creates a risk that persists beyond the period of traffic redirection.”

Since the attackers can set record values for the domain name systems, they can obtain valid encryption certificates for an organization’s domain names; this allows browsers to establish a connection without any certificate errors as the certificate can be trusted, FireEye researchers said. In the most recent campaigns, the attackers have used certificates from the Let’s Encrypt open certificate authority.

That valid certificate then enables the redirected traffic to be decrypted and exposes any user-submitted data.

Government Response

The emergency directive issued by the DHS provides “required actions” that government agencies must fulfill in the next 10 business days.

“To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires… near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains and detect unauthorized certificates,” said the report.

First, the DHS said all .gov domain admins must audit their DNS records over the next 10 days to verify if any traffic is being redirected.

The department also urged agencies to update their passwords for all accounts on systems that can make changes to agency DNS records, and to implement multi-factor authentication for accounts on DNS admin systems. Finally, agencies are being directed to monitor certificate transparency logs.

The warning comes as the U.S. government enters its 33rd day of a shutdown (as of Wednesday), a longstanding incident which has sparked concerns about its impact across the board when it comes to security.

Iran Attribution

Researchers assess “with moderate confidence” that the recent DNS hijacking activity is conducted by a group or groups in Iran, and that the activity aligns with Iranian government interests.

The attacks have been observed in clusters between January 2017 to January 2019, the researchers said in an analysis of the attacks.

Alister Shepherd, MEA director of Mandiant at FireEye, told Threatpost that the campaign is ongoing – but that there is no indication of how many credentials have been harvested thus far. However, researcher do state that the attackers had “a high degree of success” harvesting targets’ credentials.

This most recent DNS hijacking campaign “showcases the continuing evolution in tactics from Iran-based actors,” FireEye researchers stressed. “This is an overview of one set of TTPs that we recently observed affecting multiple entities.”

Microsoft patches critical Windows DNS client vulnerabilities

/0 Comments/in /by

Three critical Windows DNS client vulnerabilities were patched today by Microsoft, closing off an avenue where an attacker could relatively simply respond to DNS queries with malicious code and gain arbitrary code execution on Windows clients or Windows Server installations.

The flaws were discovered and privately disclosed to Microsoft by researcher Nick Freeman at Bishop Fox. An attacker on the local network or in a man-in-the-middle position could insert a malicious payload into a DNS response to a Windows machine’s DNS request and trigger the vulnerability.

Windows admins are advised to patch immediately; the bug affects Windows 8 and Windows 10 clients, and Windows Server 2012 and 2016. Bishop Fox said it is not aware of any public attacks using this vulnerability.

“In the majority of cases, the only requirement would be that an attacker is connected to the same network as their target,” Freeman said.

The bug, CVE-2017-11779, traces back to the introduction of DNSSEC in the Microsoft operating system starting with Windows 8 via the DNSAPI.dll library. A DNS Resource Record called NSEC3 handled by the Nsec3_RecordRead function is at the core of the bug because it unsafely parses NSEC3 resource records, Freeman said. Users are at risk regardless of their interaction with the client or server since DNS requests can be made silently by background processes looking up IP addresses, or more noisily via browsing, email applications or streaming music services, for example.

Bishop Fox reasoned in its report that the introduction of DNSSEC into Windows was done in part to reduce the risk posed by the plaintext nature of the protocol making it vulnerable to man-in-the-middle attacks. The NSEC3 vulnerability arrived with DNSSEC.

“The Windows DNS client doesn’t do enough sanity checking when it processes a DNS response that contains an NSEC3 record,” Freeman wrote in a report released today. “Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”

There are slight upsides to the bug, Freeman said.

“Because the record is malformed, it doesn’t make it through the normal DNS system. Servers along the way will drop it because it doesn’t fit the standard for NSEC3 record,” he wrote. “This is a good thing, because otherwise this issue would be easier to exploit and have far more serious implications. So, for an attacker to exploit this issue, they need to be between you and the DNS server you’re using.”

However, attackers exploiting the three heap overflow bugs can elevate privileges on a Windows machine, have access to any sensitive data stored locally or run code on the client or server. Since the Nsec3_RecordRead function fails to parse resource records in a secure way, multiple out-of-bounds writes may result, Freeman said.

“The responsible DNSAPI DLL is commonly used by the DnsCache service which runs under svchost.exe as the NT AUTHORITY\NETWORK SERVICE user, and provides the DNS caching service for the DNS client on Windows systems,” Freeman wrote. “It’s also imported by other applications for making DNS queries.”

This bug is especially risky for enterprises because of its potential impact on Windows servers!