On Jan. 22, 2019, the Cybersecurity and Infrastructure Security Agency (CISA), which is a part of the U.S. Department of Homeland Security (DHS), issued Emergency Directive 19-01. The title of the directive is: Mitigate DNS Infrastructure Tampering. A series of actions are required for federal agencies, and here is the background:
“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
On Jan. 24, 2019, the United States Computer Emergency Readiness Team (U.S. CERT) issued an alert regarding a global “DNS Infrastructure Hijacking Campaign,” that requires immediate attention.
AA19-024A is summarized in this way: “The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:
These files will be updated as information becomes available.”
What Is DNS Hijacking? Definitions Please
There are plenty of good articles which explain what Domain Name Systems (DNS) Hijacking is, what it does and the potential impacts. This article from Dark Web News is very helpful, in my opinion. Here are a few small excerpts:
"DNS hijacking, also known as silent server swaps, is a malicious attack vector that can be used to forcibly redirect web traffic to websites that are either fake or different from the ones you’ve requested. ...
So, how can this affect your online security? The answer to that question is: in a number of ways. For instance:
Global Media Coverage and DNS Impact
Coverage of this very serious situation is worldwide, with GCHQ’s National Cyber Security Center (NCSC), in the United Kingdom, issuing a rare warning that it was investigating a “large-scale hijacking campaign that has reportedly affected government and commercial organizations worldwide.”
- CIO magazine in Australia urged readers to “Batten down the DNS hatches as attackers strike Feds.”
- eWeek wrote that “U.S. Government Warns of DNS Hijacking Risk.”
- ZDNet described the four-step DHS action plan for the emergency.
- Duo Security wrote that DNS hijacking campaign targets government during shutdown. “Chris Krebs, the director of CISA, said in a series of messages on Twitter that the agency realizes that some agencies are short of staff, but still expects those agencies to take the necessary steps. …”
- Back on Jan. 9, 2019, FireEye first reported on this issue. “FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.”
- Threatpost.com wrote this analysis on Jan. 10, saying that ‘Unprecedented’ DNS hijacking attacks linked to Iran.
- On Jan. 10, 2019, TheRegister (U.K.) wrote that “Baddies linked to Iran fingered for DNS hijacking to read Middle Eastern regimes' emails.”
Actions Required for Feds Are Also Needed by State and Local Governments and Private-Sector Orgs
Most Information Sharing & Analysis Centers (ISACs), such as the MS-ISAC, released these same US-CERT emergency warnings to their members this week, and following these DHS actions steps are recommended for all readers to ensure their DNS services are secure.
Infosecurity magazine said it this way:
“CISA is demanding all agencies audit their DNS records on all .gov and related domains within 10 days to see if they resolve to the intended location, and report any that don’t.
It also wants users to update passwords for any accounts that can change DNS records, and implement multi-factor authentication (MFA) for these, again within the 10-day timeframe.
CISA also gave notice of a new Certificate Transparency initiative which agencies will have to participate in, by monitoring any log data for issued certificates that they didn’t request. …”
In my opinion, state and local governments should also be doing the same things as their federal counterparts.
So who was impacted to cause these emergency actions from DHS and others? No doubt several organizations, likely some big government agencies, were hit. I expect to learn more details about those impacts over the next month or two. Meanwhile, the clock is ticking for federal agencies — and others should act as well.
The timing of these emergency directives for federal agencies and the ending of the federal government shutdown is also interesting. Was this just a coincidence? Probably.
Were these DNS cyberthreats an added pressure needed to end the government shutdown — to get federal agencies protected? Perhaps.
While it is unlikely that these DNS cyberthreats alone were the reason for the three-week budget deal that reopened government and was signed by the president on Friday, it is possible that this extra pressure was a contributing factor.
If this is the case, it may signal a wider review needed for protecting networks and data and people during future federal government shutdowns.
Is this a case of: "While the cat's away, the mice will play?" Just food for thought.