DHS has issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e. .gov) to prevent DNS hijacking attacks.

The notice was issued by the DHS and links the emergency directive
Emergency Directive 19-01titled “Mitigate DNS Infrastructure Tampering.”

“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.” reads the emergency directive.

“To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.”

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

The emergency directive requests federal agencies to check public DNS records for all .gov and other domains they manage to ensure that they have not been tampered with. The check must be completed in 10 days and includes Address (A), Mail Exchanger (MX), and Name Server (NS) records.

Within 10 business days, agencies will have to change the passwords for their DNS account and enable multifactor authentication where available, but CISA warns risks for SMS-based MFA.

DHS also instructed federal agencies to monitor Certificate Transparency logs for any abuse related to fraudulently issued certificates.

The overall process and signs of progress will be monitored by the DHS, the agencies must submit a status report by January 25 and a final report for all the actions done in compliance with the directive by February 5.

“Beginning February 6, 2019, the CISA Director will engage Chief Information Officers (CIO) and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have not completed required actions, as appropriate, to ensure their most critical federal information systems are adequately protected,” continues CISA.

“By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying agency status and outstanding issues.”

The emergency directive is probably related to a recently disclosed campaign of DNS hijacking attacks uncovered by FireEye.

The DNS hijacking campaign targeted government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. According to the experts, the campaign is carried out, with “moderate confidence,” by APT groups linked to the Iranian Government.

FireEye researchers tracked access from Iranian IPs to machines used to intercept, record and forward network traffic. The same IPs were previously associated with cyber attacks conducted by Iranian cyberspies.

The attackers are not financially motivated and targeted several Middle Eastern governments whose data would be of interest to Iran.

It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale. Attackers used three different ways to manipulate DNS records to enable victim compromises.

After the FireEye’s report, the US-CERT published an alert on January 10 to warn organizations of DNS hijacking campaigns.

Pierluigi Paganini