DHS Issues Emergency Directive Following DNS Attacks
On January 22, 2019, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Emergency Directive 19-01, “Mitigate DNS Infrastructure Tampering,” in response to recent reports by FireEye and Cisco’s Talos Intelligence Group indicating that “dozens of domains belonging to government, telecommunications, and internet infrastructure entities across the Middle East and North Africa, Europe and North America” had been victims of a series of sophisticated attacks. In these attacks, malicious actors used compromised credentials for DNS registrar and DNS hosting accounts to modify the victims’ DNS data and redirect mail and web traffic to servers impersonating the legitimate ones. Also using their control of the victims’ DNS data, the attackers were able to use the Let’s Encrypt service to issue TLS certificates to install on the impersonating servers, tricking visitors into believing they were accessing the web or mail servers securely. The attackers’ servers then acted as “men in the middle,” connecting to the correct, legitimate servers on behalf of visitors, but observing all traffic passing through them.
The emergency directive requires U.S. government agencies audit all “agency-managed domains” to:
- Determine whether their data has been modified
- Change passwords on all accounts with the ability to modify agencies’ DNS data
- Enable multi-factor authentication on those same accounts, if possible
- Monitor logs to determine if unauthorized certificates have been issued for their agencies
According to the directive, these measures must be completed by February 5, 2019. (I sure hope the Federal government isn’t still shut down then.)
I’d note that these precautions are useful not just for U.S. government domains, but for any important domains run by organizations around the world, government or not. For all the attention that we give to cache poisoning attacks, it’s much more common for attackers to gain control of a victim’s DNS data using stolen or guessed credentials to a registrar or DNS hosting account.