Cyber-Hijacking Campaign Sets off Global Government Alarm Bells

On Jan. 22, 2019, the Cybersecurity and Infrastructure Security Agency (CISA), which is a part of the U.S. Department of Homeland Security (DHS), issued Emergency Directive 19-01. The title of the directive is: Mitigate DNS Infrastructure Tampering. A series of actions are required for federal agencies, and here is the background:

“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents¹ involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.”

On Jan. 24, 2019, the United States Computer Emergency Readiness Team (U.S. CERT) issued an alert regarding a global “DNS Infrastructure Hijacking Campaign,” that requires immediate attention.  

AA19-024A is summarized in this way: “The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:

IOCs (.csv)

IOCs (.stix)

These files will be updated as information becomes available.”

What Is DNS Hijacking? Definitions Please

There are plenty of good articles which explain what Domain Name Systems (DNS) Hijacking is, what it does and the potential impacts. This article from Dark Web News is very helpful, in my opinion. Here are a few small excerpts:

"DNS hijacking, also known as silent server swaps, is a malicious attack vector that can be used to forcibly redirect web traffic to websites that are either fake or different from the ones you’ve requested. ...

So, how can this affect your online security? The answer to that question is: in a number of ways. For instance:

• DNS Hijacking Can Be Used For Phishing Attacks …
• A Hijacked DNS Server Can Be Used for Pharming …
• Governments Use DNS Hijacking to Enforce Web Censorship …
• How to Protect Your Computer from DNS Hijacking: Update your router’s firmware and change its password (especially if you’re still using the default password). Use a VPN (Virtual Private Network) to access the Internet. This hides your DNS requests from third parties and encrypts all your traffic. It’s also a key safeguard to protect your online privacy and security, overall. ...”

Global Media Coverage and DNS Impact

Coverage of this very serious situation is worldwide, with GCHQ’s National Cyber Security Center (NCSC), in the United Kingdom, issuing a rare warning that it was investigating a “large-scale hijacking campaign that has reportedly affected government and commercial organizations worldwide.”

• CIO magazine in Australia urged readers to “Batten down the DNS hatches as attackers strike Feds.”
• eWeek wrote that “U.S. Government Warns of DNS Hijacking Risk.”
• ZDNet described the four-step DHS action plan for the emergency.
• Duo Security wrote that DNS hijacking campaign targets government during shutdown. “Chris Krebs, the director of CISA, said in a series of messages on Twitter that the agency realizes that some agencies are short of staff, but still expects those agencies to take the necessary steps. …”
• Back on Jan. 9, 2019, FireEye first reported on this issue. “FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.”  
• Threatpost.com wrote this analysis on Jan. 10, saying that ‘Unprecedented’ DNS hijacking attacks linked to Iran.
• On Jan. 10, 2019, TheRegister (U.K.) wrote that “Baddies linked to Iran fingered for DNS hijacking to read Middle Eastern regimes' emails.”

Wired magazine also offered this detailed look at our new DNS challenges.

Actions Required for Feds Are Also Needed by State and Local Governments and Private-Sector Orgs


Most Information Sharing & Analysis Centers (ISACs), such as the MS-ISAC, released these same US-CERT emergency warnings to their members this week, and following these DHS actions steps are recommended for all readers to ensure their DNS services are secure.  

Infosecurity magazine said it this way:

“CISA is demanding all agencies audit their DNS records on all .gov and related domains within 10 days to see if they resolve to the intended location, and report any that don’t.

It also wants users to update passwords for any accounts that can change DNS records, and implement multi-factor authentication (MFA) for these, again within the 10-day timeframe.

CISA also gave notice of a new Certificate Transparency initiative which agencies will have to participate in, by monitoring any log data for issued certificates that they didn’t request. …”

In my opinion, state and local governments should also be doing the same things as their federal counterparts.

Final Thoughts

So who was impacted to cause these emergency actions from DHS and others? No doubt several organizations, likely some big government agencies, were hit. I expect to learn more details about those impacts over the next month or two. Meanwhile, the clock is ticking for federal agencies — and others should act as well.      

The timing of these emergency directives for federal agencies and the ending of the federal government shutdown is also interesting. Was this just a coincidence? Probably.

Were these DNS cyberthreats an added pressure needed to end the government shutdown — to get federal agencies protected? Perhaps. 

While it is unlikely that these DNS cyberthreats alone were the reason for the three-week budget deal that reopened government and was signed by the president on Friday, it is possible that this extra pressure was a contributing factor.

If this is the case, it may signal a wider review needed for protecting networks and data and people during future federal government shutdowns.

Is this a case of: "While the cat's away, the mice will play?" Just food for thought.