US issues emergency directive to halt DNS hijacking

The US Department of Homeland Security (DHS) has issued an emergency directive in an effort to halt a campaign of domain name system (DNS) infrastructure tampering attacks.

The emergency directive comes just over a week after the computer emergency readiness team (US-Cert) issued an alert about an infrastructure hijacking campaign.

“Using compromised credentials, an attacker can modify the location to which an organisation’s domain name resources resolve,” the alert warned. “This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organisation’s domain names, enabling man-in-the-middle attacks.”

The alert referenced findings by researchers at cyber security firm FireEye’s Mandiant incident response and intelligence teams that a wave of DNS hijacking, apparently coming out of Iran, was affecting dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. 

The emergency directive said the DHS Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving DNS infrastructure tampering, is aware of multiple executive branch agency domains that were impacted, and has notified the agencies that maintain them. At least six agency domains have been affected, according to CyberScoop, citing sources familiar with the matter.

To address the “significant and imminent risks” to US agency information and information systems caused by this activity, the emergency directive sets out four actions that agencies are required to complete in 10 working days to mitigate risks from undiscovered tampering, to enable agencies to prevent illegitimate DNS activity for their domains and to detect unauthorised certificates:

• Audit DNS records for all .gov and agency-managed domains to verify that they resolve to the intended location and to report any that do not.
• Change DNS account passwords for all accounts on systems that can make changes to agency DNS records.
• Add multi-factor authentication (MFA) to all accounts on systems that can make changes to agency DNS records.
• Monitor certificate transparency (CT) logs for certificates issued that they did not request and to report any unauthorised certificates.

In return, the CISA has undertaken to provide technical assistance to agencies that report anomalous DNS records, review submissions from agencies that cannot implement MFA on DNS accounts within the timeline, provide regular delivery of newly added certificates to CT logs for agency domains via the Cyber Hygiene service, and provide additional guidance to agencies upon request.

DNS is used by every business on the internet, and yet few have any idea of visibility or control over DNS performance, with 92% of UK businesses having limited visibility of the impact of DNS performance on their internet users and visitors to their websites and other online resources, according to a 2017 report by independent analyst Quocirca, commissioned by communications and analysis firm Neustar.

Because DNS is a foundational part of the internet, with every organisation, web page, email and internet-connected device using it in some way, criminals inevitably use DNS for a range of activities, including malware communications, data exfiltration and targeted phishing.