The Department of Homeland Security (DHS) has issued an emergency directive that requires federal agencies to mitigate the threat of Domain Name System (DNS) infrastructure tampering.
In “Emergency Directive 19-01,” DHS explains that it’s been working with the Cybersecurity and Infrastructure Security Agency (CISA) to track a campaign of DNS infrastructure tampering.
A hijack in this series, as detailed by both Cisco Talos and FireEye, begins when digital attackers compromise or otherwise obtain the credentials of a user who has access to their organization’s DNS records. The attackers proceed with altering the organization’s legitimate DNS record by replacing its service address with one under their control. They can then use those modifications to direct user traffic to their own infrastructure for inspection and/or manipulation, if they so choose.
The emergency directive, which went live on 22 January, also notes how bad actors can obtain valid encryption certificates for an organization’s domain. Using that document, these malefactors can decrypt traffic that’s been redirected to their infrastructure and thereby expose personal information along with other user-submitted data.
Acknowledging the dangers of this ongoing campaign, DHS orders federal agencies to protect themselves against DNS infrastructure tampering. As quoted in its emergency directive:
To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.
Under the directive, federal agencies must audit their public DNS records to make sure they resolve to the same location. They also need to update all of the passwords for system accounts that can make changes to DNS records, add multi-factor authentication (MFA) to those accounts and monitor Certificate Transparency (CT) logs for certificates which they did not request.
These agencies are expected to complete that guidance within 10 business days, a period which could be difficult given the ongoing federal shutdown and its impact on digital security.
For its part, CISA said it will work with agencies to report anomalous DNS records and deliver newly added certificates to CT logs, as well as provide additional support.