DHS issues emergency directive about DNS hijacking attacks

On the U.S. Department of Homeland Security’s website, a post entitled "Emergency Directive 19-01" that raised an alert about an influx of DNS hijacking and described countermeasures for federal agencies to take against it. According to the emergency directive, which relies on 44 U.S.C. § 3553(h)(1)–(2)to formulate its legal basis for action against the threat, the DHS has detected a “series of incidents” that are indicative of DNS infrastructure tampering.

The DHS post gives the following information as evidence of the threat:

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

What the emergency directive does is force all federal agencies to comply with any and all required actions that the DHS deems necessary to mitigate the DNS hijacking threat.

The enforceable actions include the following (all of which need to be completed within 10 days or risk being reported to CISA):

• All .gov or other agency-managed domains must audit their public DNS records.

• Any account that is able to alter DNS records must change their passwords.

• Accounts with the ability to change DNS records have to institute multi-factor authentication.

• Federal agencies are required to monitor “CT log data for certificates issued that they did not request” and report any unauthorized certificate to CISA.

According to the post, the DHS emergency directive will remain in effect indefinitely until “replaced by a subsequent Binding Operational Directive or terminated through other appropriate action.” What irks me as a cybersecurity professional is how the US government was not already practicing better security with regards to its DNS accounts. It always seems to be a major incident that causes changes when it comes to governmental InfoSec practices, leaving countless attack vectors open for hackers to infiltrate.

I would say that this hopefully causes the government to rethink its policies with regards to InfoSec, but I won’t hold my breath.

Featured image: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Review: Specops uReset Active Directory self-service password reset

Specops uReset is an Active Directory password reset solution to handle the problem of forgotten…

2 hours ago

Reports say eBay port scanning incoming visitors. Why?

According to several reports, eBay may be port scanning visitors to its site. While this…

3 days ago

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

3 days ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

4 days ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

4 days ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

4 days ago