DHS issues emergency directive about DNS hijacking attacks

On the U.S. Department of Homeland Security’s website, a post entitled "Emergency Directive 19-01" that raised an alert about an influx of DNS hijacking and described countermeasures for federal agencies to take against it. According to the emergency directive, which relies on 44 U.S.C. § 3553(h)(1)–(2)to formulate its legal basis for action against the threat, the DHS has detected a “series of incidents” that are indicative of DNS infrastructure tampering.

The DHS post gives the following information as evidence of the threat:

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

What the emergency directive does is force all federal agencies to comply with any and all required actions that the DHS deems necessary to mitigate the DNS hijacking threat.

The enforceable actions include the following (all of which need to be completed within 10 days or risk being reported to CISA):

• All .gov or other agency-managed domains must audit their public DNS records.

• Any account that is able to alter DNS records must change their passwords.

• Accounts with the ability to change DNS records have to institute multi-factor authentication.

• Federal agencies are required to monitor “CT log data for certificates issued that they did not request” and report any unauthorized certificate to CISA.

According to the post, the DHS emergency directive will remain in effect indefinitely until “replaced by a subsequent Binding Operational Directive or terminated through other appropriate action.” What irks me as a cybersecurity professional is how the US government was not already practicing better security with regards to its DNS accounts. It always seems to be a major incident that causes changes when it comes to governmental InfoSec practices, leaving countless attack vectors open for hackers to infiltrate.

I would say that this hopefully causes the government to rethink its policies with regards to InfoSec, but I won’t hold my breath.

Featured image: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Configured Exchange for high availability? You can still face an extended outage

Sponsored by Stellar Data RecoveryHigh availability in Exchange can ensure business continuity, but unfactored failover…

11 hours ago

Web app not displaying your code/site? Check the path

This Azure Quick Tip may save you hours of frustration. If your web app is…

14 hours ago

COVID-19, work from home, and return to work: Is 5G the superhero savior?

Most techies geek out at the end of each calendar year as we wait in…

17 hours ago

Monitoring Azure Windows Virtual Desktop using PowerShell

Monitoring Azure Windows Virtual Desktop, especially keeping an eye on the health of session hosts…

1 day ago

Moving your SQL database to Azure SQL: Using the import method

Migrating SQL data to Microsoft Azure takes planning because there are several ways to do…

2 days ago

Gateways and routers: A head-to-head comparison

Gateways and routers perform different functions, so both are necessary for a network. Let’s look…

2 days ago