The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has released an emergency warning regarding DNS hijacking campaigns. All government agencies have been told to review their DNS settings over the next 10 days.
CISA reports that cyber criminals have been targeting government agencies and changing their Domain Name System records. DNS records are used to determine the IP address of a website from the domain name entered into the browser. By changing the DNS records, web traffic and email traffic can be sent elsewhere.
This type of attack allows sensitive data to be obtained without compromising a network and users are unlikely to be aware that their communications have been intercepted. Re-routed emails are likely to go undetected and web traffic could be re-routed to identical copies of authentic sites. Since those sites have TLS/SSL certificates, no warning would be emitted by browsers.
DNS attacks permit hackers to obtain information about the websites visited by users and the information could be used in phishing campaigns. The attacks seem to be focusing on obtaining domain and login details.
The DNS attacks are not restricted to the United States. Attacks have also been seen in the Middle East, North Africa, and Europe by FireEye and Cisco Talos researchers. The DNS hijacking campaign is wide ranging and many of the attacks have succeeded. Several executive brand agency domains have been affected by the attacks. Those agencies have been alerted by DHS about the campaign, but further attacks are likely.
While those responsible for the attacks have not been identified the campaign appears to have its origins in Iran.
DHS has published a 4-step plan that must be enacted in the next 10 days.
- Review all .gov and agency-managed domains on authoritative and secondary DNS servers and make sure that they direct traffic to the correct location. NS records and those linked with key agency services should be prioritized. If DNS changes are noticed, they must be made known to CISA.
- All federal agencies have been ordered to change DNS account passwords on accounts that can make amendments to the agency’s DNS records. New unique, complex passwords should be put in place.
- All DNS accounts that can make amendments to DNS records should have multi-factor authentication turned on. If MFA cannot be switched on for systems, CISA must be made aware.
- CISA will initiate regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service over the next 10 days. CT logs must be immediately monitored for certificates that have been sent that have not been asked for by the agency. If logs are found to be inaccurate, they must be sent on tot to CISA.
Any agency that finds anomalous DNS records will be given technical assistance by CISA.
A status report must be lodged to CISA by January 25, 2019 and a completion report must be lodged to CISA by February 5, 2019 confirming the above four steps have been put in place.