On the U.S. Department of Homeland Security’s website, a post entitled "Emergency Directive 19-01" that raised an alert about an influx of DNS hijacking and described countermeasures for federal agencies to take against it. According to the emergency directive, which relies on 44 U.S.C. § 3553(h)(1)–(2)to formulate its legal basis for action against the threat, the DHS has detected a “series of incidents” that are indicative of DNS infrastructure tampering.
The DHS post gives the following information as evidence of the threat:
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
- The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
- Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
- Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
What the emergency directive does is force all federal agencies to comply with any and all required actions that the DHS deems necessary to mitigate the DNS hijacking threat.
The enforceable actions include the following (all of which need to be completed within 10 days or risk being reported to CISA):
• All .gov or other agency-managed domains must audit their public DNS records.
• Any account that is able to alter DNS records must change their passwords.
• Accounts with the ability to change DNS records have to institute multi-factor authentication.
• Federal agencies are required to monitor “CT log data for certificates issued that they did not request” and report any unauthorized certificate to CISA.
According to the post, the DHS emergency directive will remain in effect indefinitely until “replaced by a subsequent Binding Operational Directive or terminated through other appropriate action.” What irks me as a cybersecurity professional is how the US government was not already practicing better security with regards to its DNS accounts. It always seems to be a major incident that causes changes when it comes to governmental InfoSec practices, leaving countless attack vectors open for hackers to infiltrate.
I would say that this hopefully causes the government to rethink its policies with regards to InfoSec, but I won’t hold my breath.
Featured image: Wikimedia