The Homeland Security Department (DHS) issued a directive to agencies addressing a major cybersecurity threat that could allow hackers to steal encrypted data with users none the wiser.
The Cybersecurity and Infrastructure Security Agency (CISA) of DHS released its first emergency directive on Jan. 22 concerning a number of Domain Name System (DNS) infrastructure tampering incidents. DNS controls internet traffic flow worldwide by translating domain names to the numbers computers use to perform functions, like sending an email. A DNS record involves the domain name of your site and the number that the name resolves to.
“Like real life, if someone can change your address, lots of bad things can happen,” Christopher Krebs, Director of the CISA wrote in a blog post. “The same is true of DNS.”
Attackers have rerouted and intercepted web and mail communications by first altering user credentials of an account that has the capability to change DNS records. They then compromise those records by replacing correct service addresses with addresses under their control. Users directed to the hackers’ infrastructure are vulnerable to information inspection or manipulation, and user-submitted data may be decrypted. After the data is intercepted, the hackers can send the users to the real address, so everything looks normal to users.
“This is roughly equivalent to someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox,” Krebs said. “Lots of harmful things could be done to you (or the senders) depending on the content of that mail.”
This exploit has been monitored in the government and communications infrastructures of various governments in North America, Europe, the Middle East and North Africa. Researchers at FireEye alerted DHS of the potential attacks as early as Jan. 9. They wrote in a blog post that “initial research suggests the actor[s] responsible have nexus to Iran.”
Krebs tweeted about the directive on Jan. 23, writing that “The directive lays out a set of risk-informed, straightforward, and high impact/low burden actions that agencies must take to harden systems and improve awareness and trustworthiness of key security processes.”
Agencies have until Feb. 5 to do the following four necessary actions:
- Audit public DNS records on all DNS servers to make sure that they route to the intended location. Report them to CISA if they do not.
- Update passwords for all DNS accounts on systems that can change DNS records.
- Enable multi-factor authentication (MFA) to all accounts on systems that make changes to DNS records. If MFA cannot be set up, report the reason why to CISA.
- CISA will deliver Certificate Transparency (CT) logs for agency domains through the Cyber Hygiene service. It is up to agencies to monitor CT log data for unauthorized issuance of certificates and report the certificate to CISA.
By Feb. 8, CISA will give a report to the DHS Secretary and the Director of the Office of Management and Budget (OMB) pinpointing agency status and outstanding matters for further consideration.