DHS Issues Emergency Directive on DNS Security

  /     /     /  
Publicated : 23/11/2024   Category : security

DHS Issues Emergency Directive on DNS Security


All government domain owners are instructed to take immediate steps to strengthen the security of their DNS servers following a successful hacking campaign.


On Jan. 22, US-CERT issued notice of a CISA emergency directive on DNS infrastructure tampering. The notice was the typically brief CERT notice, but it linked to an emergency directive at
cyber.dhs.gov
that called on anyone managing .gov or other agency-managed domains to take a series of steps aimed at remedial efforts — and to take those steps very quickly.
The fact that they put out the warning means that theres been some sort of successful breach against a government site that theyre recovering from, says John Todd, executive director at Quad9. This type of warning means that theres been some damage.
Marc Rogers, executive director of cybersecurity at Okta, agrees. CERT puts out notifications on a regular basis, but I havent seen one with such a strong sense of urgency before, which tells me that DHS is acting on actual knowledge of an ongoing attack, he says.
In the emergency directive, DHS said attackers have redirected and intercepted web and mail traffic, and could do so for other networked services. The attacks began when someone stole, obtained, or compromised user credentials for an account able to make changes to the DNS records, the directive points out.
Most experts think the events alluded to in the emergency directive are related to a campaign of DNS attacks described by FireEye in a
blog post dated Jan. 9
. In that post, researchers said that attackers, most likely employed or sponsored by agencies in Iran, use a variety of techniques to gain access to and control over DNS servers. Once done, the result is activity that can compromise a variety of data and information types.
FireEye wrote that the attacks appeared to have begun as long ago as 2017, and prominently feature a technique first described by
researchers at Cisco Talos
in which the DNS A records are modified. This technique results in the attacker gaining a users username, password, and domain credential, without producing any activity that would alert the user to a problem.
One of the ways in which attackers hide their activity is through the use of a counterfeit encryption certificate. The attack described is heavily using Lets Encrypt, which allows someone to easily get a certificate for a domain they control. The attackers went in, modified the records, then immediately got a certificate from Lets Encrypt, so people coming in from other domains wont get an error message, says Adnan Baykal, global technical adviser at the Global Cyber Alliance.
While the duration of the overall attack makes it highly unlikely that it was timed to take advantage of the current partial government shutdown, aspects of the shutdown have made it easier for the attack to succeed. When you see that there are close to 100 certificates in federal domains that have expired during the shutdown, each one represents a serious risk for users who go to the site. This pushes up the risk of DNS hijacking, Rogers says.
Baykal agrees. Visitors are getting browser errors, and people have no good way to tell whether the error is from an expired certificate or a spoofed certificate, he says.
These statements amplify the point that theres little for a sites visitors to do regarding possible DNS hijacking. You need to use or have access to a validating
recursive DNSsec resolver
, Todd says. You can use a service that tries to give me an accurate answer, and if its not accurate, it fails the request. He notes, though, that most users rely on their ISPs DNS servers, few of which use DNSsec validation.
As for the emergency directives mandates, they include auditing DNS records, changing passwords for accounts that have DNS administration privileges, and putting two-factor authentication into service — and doing it all within 10 days. All of the remediation makes perfect sense based on the FireEye report. You’d hope that they would have done so earlier, but that horse has left the barn, says Cricket Liu, executive vice president of engineering and chief DNS architect at InfoBlox.
And the mandates shouldnt be ignored by those who arent bound by the government directives. This is a wakeup call for anyone who owns a domain. Although the US government is issuing the order, anyone anywhere in the world should be paying a lot of attention, Todd says.
Liu agrees. The things theyre recommended are a good idea for anyone, whether youre part of the federal government or not, he says. All of these are a good idea, regardless.
Related Content:
Stealthy New DDoS Attacks Target Internet Service Providers
DNS Hijacking Campaign Targets Organizations Globally
Redefining Critical Infrastructure for the Age of Disinformation
7 Most Prevalent Phishing Subject Lines

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
DHS Issues Emergency Directive on DNS Security