Department of Homeland Security issues emergency directive to protect federal domains from Domain Name System hijacking
By Kevin Jay on January 25, 2019
The US Department of Homeland Security (DHS) issued an emergency directive Tuesday, advising federal agencies to take immediate action in response to a major global Domain Name System (DNS) hijacking campaign. With the ongoing government shutdown still in place it is unclear how quick agencies will complete orders.
Within 10 business days, all agencies are required to complete a four-step process
- Audit public DNS records on all authoritative and secondary DNS servers
- Update all passwords that can make changes to agency’s DNS records
- Enable multi-factor authentication to prevent any unauthorized change to their domain
- Monitor Certificate Transparency Logs
DHS does not report on the agencies affected by the attacks, the number of attacks, or the attacker(s) responsible. The report covers technical details and mitigations, with one reference from the threat intelligence firm FireEye.
FireEye suggests that “with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests.” Affected organizations include government agencies, telecommunications, and internet providers across the Middle East, North Africa, Europe, and North America.
The DNS is the backbone of the Internet, converting a computer’s host name into an IP address on the Internet. By using compromised or stolen credentials to access an organization’s DNS records, “this enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks,” the department’s Computer Emergency Readiness Team said, Jan. 24 in a post on DNS Hijacking.
Significance
DNS hijacking showcases the continuing evolution in the different tactics, techniques, and procedures used by attackers. Globally all industries have been affected by the DNS hijacking campaign. This serves as another warning to organizations, federal government agencies, telecommunications, and Internet service providers to take appropriate action to secure and maintain data integrity.
Sources
DHS, Emergency Directive 19-01, 22 January 2019
FireEye, DNS Record Manipulation at Scale, 9 January 2019
US-CERT, DNS Infrastructure Hijacking Campaign, 24 January 2019
Cisco Talos, DNSpionage Campaign Targets Middle East, 27 November 2018
-
Denmark Faces Largest Cybersecurity Incident to Date
Denmark Faces Largest Cybersecurity Incident to Date
12/8/2023 -
Defense Contractor, Japan Aviation Electronics, Falls Victim to a Cyber Attack
Defense Contractor, Japan Aviation Electronics, Falls Victim to a Cyber Attack
12/8/2023 -
North Korea Infiltrates Remote US Jobs to Fund Weapons
North Korea Infiltrates Remote US Jobs to Fund Weapons
11/2/2023