Batten down the DNS hatches as attackers strike Feds

DHS warns federal agencies of DNS attacks and offers best practices to help mitigate the situation.

If enterprise IT folks haven’t taken a look at their DNS ecosystem recently now may be a good time. 

This week the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) told all federal agencies to bolt down their Domain Name System in the face of a  series of global hacking campaigns.

DNS, routinely known as the Internet’s phonebook, is part of the global internet infrastructure that translates between familiar names and the numbers computers need to access a website or send an email.

CISA said in its Emergency Directive that it is tracking a series of incidents targeting Domain Name System (DNS) infrastructure. CISA wrote that it “is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.”

CISA says that attackers have managed to intercept and redirect web and mail traffic and could target other networked services. The agency said the attacks start with compromising user credentials of an account that can make changes to DNS records.  Then the attacker alters DNS records, like Address, Mail Exchanger, or Name Server records, replacing the legitimate address of the services with an address the attacker controls.

These actions let the attacker direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection, CISA stated. 

“Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings,” CISA stated.

Christopher Krebs, Director of CISA wrote in a blog post about the Directive: “Like real life, if someone can change your address, lots of bad things can happen. The same is true of DNS.”

Krebs noted that FireEye and Cisco Talos researchers recently reported that malicious actors obtained access to accounts that controlled DNS records and made them resolve to their own infrastructure before relaying it to the real address. Because they could control an organization’s DNS, they could obtain legitimate digital certificates and decrypt the data they intercepted – all while everything looked normal to users.

Krebs added that while the DNS attacks are directed at federal agencies, “the Directive includes common sense guidance and mitigation steps any organization can take to prevent DNS infrastructure tampering.”

Those recommendations or DNS best practices look like this:

  • Update DNS account passwords. This will disrupt access to accounts an unauthorized actor might currently have.
  • Verify DNS records to ensure they’re resolving as intended and not redirected elsewhere. This will help spot any active DNS hijacks.
  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records. This will also disrupt access and harden accounts to prevent future attacks.
  • Audit public DNS records to verify they are resolving to the intended location.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
  • Monitor certificate transparency logs for certificates issued that the agency did not request. This will help defenders notice if someone is attempting to impersonate them or spy on their users
Show Comments