The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) issued an emergency alert concerning DNS hijacking attacks. CISA instructed all government agencies to audit their DNS configurations within 10 days.
CISA’s information claimed that hackers were eyeing on government agencies and changing their Domain Name System (DNS) records. DNS records identify the IP address of an internet site from the domain name typed into the browser. By changing the DNS records, it is possible to re-route website traffic and email traffic.
This way of attack makes it possible for sensitive information to be stolen without disrupting a network so users will not be aware of the interception of their communications. Re-routed emails will also be undetected and website traffic may be re-routed to copies of the real sites. Because those websites have TLS/SSL certificates, browsers will not get any warning about the fake site.
DNS attacks enable hackers to collect information related to the websites frequented by users and the data may be utilized in phishing campaigns. The attacks seem to be interested in acquiring domain and login details.
The DNS attacks aren’t restricted to the United States. FireEye and Cisco Talos researchers also noticed attacks in North Africa, the Middle East and Europe. This is an extensive DNS hijacking campaign and a lot of the attacks already succeeded. A number of professional brand agency domains were affected by the attacks. DHS had notified those agencies, but more attacks are to be expected. Although the people responsible for the attacks are not yet identified, it seems that the campaign is connected to Iran.
DHS has released a four-step plan which should be acted upon in the following 10 days:
Audit all .gov and agency-managed domains on authoritative and secondary DNS servers and make certain that they point traffic to the designated site. NS records and those connected with key agency services ought to be prioritized. In case there are DNS changes discovered, they should be immediately reported to CISA.
All federal agencies are directed to modify the passwords of DNS accounts which can alter the agency’s DNS records. Set new distinct, complex passwords.
Enable multi-factor authentication in all DNS accounts which could make modifications to DNS records. In case it’s not possible to enable MFA, CISA should be informed.
CISA is going to start regular sending of newly added certificates to Certificate Transparency (CT) logs for agency domains through the Cyber Hygiene service over the following 10 days. CT logs should be instantly monitored for certificates which were issued but not requested by the agency. If logs are discovered to be erroneous, CISA should be notified.
Any agency which found anomalous DNS records will be given technical assistance by CISA.
An agency must submit a status report to CISA by January 25, 2019 then a completion report on February 5, 2019 to confirm the implementation of the four steps mentioned above.