DHS Issues Emergency Directive

The Department of Homeland Security (DHS) issued an emergency warning in an effort to protect federal domains from DNS hijacking campaigns. DHS has listed ‘required actions’ for government agencies to complete with ten days.

This warning was issued after a series of DNS hijacking attacks occurred across North Africa, Europe, North America, and the Middle East. The ongoing attacks have hit several executive branch domains.

The alert warned:

“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.”

DNS hijacking is a malicious attack that occurs when an attacker intercepts and redirects DNS queries. This can be done by changing the IP address of a specific domain to another site. For example, an attacker can redirect users to their own malicious sites instead of the one the user tried accessing.

In these series of attacks, attackers redirected web and mail traffic. To begin the attack, the threat actor obtained user credentials that had access to DNS records. Access grants attackers the ability to change and set DNS records. Afterwards, the attacker replaces the IP address of legitimate sites with an address the attacker chose.

“This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service”

“They can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”

Due to the significant impact DNS hijacking can have on an organization, DHS is requiring four actions for government agencies to follow and enact within ten days.

  1. Public DNS records should be audited
  2. All DNS account passwords must be updated
  3. DNS accounts must have multi-factor authentication enabled
  4. All certificate transparency logs must be monitored

If your organization has been victim to an attack, contact LIFARS immediately.