An emergency directive from the Department of Homeland Security provides \u201crequired actions\u201d for U.S. government agencies to prevent widespread DNS hijacking attacks.<\/p>\n\n\n\n
The Department of Homeland Security is ordering all federal agencies to urgently audit Domain Name System (DNS) security for their domains in the next 10 business days.<\/p>\n\n\n\n
The department\u2019s rare \u201cemergency directive,\u201d issued Tuesday, warned that multiple government domains have been targeted by DNS hijacking attacks, allowing attackers to redirect and intercept web and mail traffic.<\/p>\n\n\n\n
\u201c[The Cybersecurity and Infrastructure Security Agency] (CISA) is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them,\u201d said the alert.<\/p>\n\n\n\n
The warning comes on the heels of a Jan. 10 FireEye report which detailed a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa.<\/p>\n\n\n\n
DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer\u2019s transmission control protocol\/internet protocol (TCP\/IP) settings \u2013 generally by modifying a server\u2019s settings.<\/p>\n\n\n\n
The DHS, for its part, said that the attacker begins by logging into the DNS provider\u2019s administration panel using previously-compromised credentials.<\/p>\n\n\n\n
The attacker then alters DNS records \u2013 including the address mail exchanger or name server records \u2013 and replaces the legitimate address of a service with their own address controls, thus redirecting traffic. Attackers can also alter and tamper with the traffic flows.<\/p>\n\n\n\n
\u201cThis enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose,\u201d said the DHS in its advisory. \u201cThis creates a risk that persists beyond the period of traffic redirection.\u201d<\/p>\n\n\n\n
Since the attackers can set record values for the domain name systems, they can obtain valid encryption certificates for an organization\u2019s domain names; this allows browsers to establish a connection without any certificate errors as the certificate can be trusted, FireEye researchers said. In the most recent campaigns, the attackers have used certificates from the Let\u2019s Encrypt open certificate authority.<\/p>\n\n\n\n
That valid certificate then enables the redirected traffic to be decrypted and exposes any user-submitted data.<\/p>\n\n\n\n
The emergency directive issued by the DHS provides \u201crequired actions\u201d that government agencies must fulfill in the next 10 business days.<\/p>\n\n\n\n
\u201cTo address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires\u2026 near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains and detect unauthorized certificates,\u201d said the report.<\/p>\n\n\n\n
First, the DHS said all .gov domain admins must audit their DNS records over the next 10 days to verify if any traffic is being redirected.<\/p>\n\n\n\n
The department also urged agencies to update their passwords for all accounts on systems that can make changes to agency DNS records, and to implement multi-factor authentication for accounts on DNS admin systems. Finally, agencies are being directed to monitor certificate transparency logs.<\/p>\n\n\n\n
The warning comes as the U.S. government enters its 33rd day of a shutdown (as of Wednesday), a longstanding incident which has sparked concerns about its impact across the board when it comes to security.<\/p>\n\n\n\n
Researchers assess \u201cwith moderate confidence\u201d that the recent DNS hijacking activity is conducted by a group or groups in Iran, and that the activity aligns with Iranian government interests.<\/p>\n\n\n\n
The attacks have been observed in clusters between January 2017 to January 2019, the researchers said in an analysis of the attacks.<\/p>\n\n\n\n
Alister Shepherd, MEA director of Mandiant at FireEye, told Threatpost that the campaign is ongoing \u2013 but that there is no indication of how many credentials have been harvested thus far. However, researcher do state that the attackers had \u201ca high degree of success\u201d harvesting targets\u2019 credentials.<\/p>\n\n\n\n
This most recent DNS hijacking campaign \u201cshowcases the continuing evolution in tactics from Iran-based actors,\u201d FireEye researchers stressed. \u201cThis is an overview of one set of TTPs that we recently observed affecting multiple entities<\/p>\n","protected":false},"excerpt":{"rendered":"
An emergency directive from the Department of Homeland Security provides \u201crequired actions\u201d for U.S. government agencies to prevent widespread DNS hijacking attacks. The Department of Homeland Security is ordering all federal agencies to urgently audit Domain Name System (DNS) security for their domains in the next 10 business days. The department\u2019s rare \u201cemergency directive,\u201d issued […]<\/p>\n","protected":false},"author":1,"featured_media":495,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"yoast_head":"\n