DHS Issues Emergency Directive Following DNS Attacks

Share On Facebook
Share On Twitter
Share On Linkedin

On January 22, 2019, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Emergency Directive 19-01, “Mitigate DNS Infrastructure Tampering,” in response to recent reports by FireEye and Cisco’s Talos Intelligence Group indicating that “dozens of domains belonging to government, telecommunications, and internet infrastructure entities across the Middle East and North Africa, Europe and North America” had been victims of a series of sophisticated attacks.  In these attacks, malicious actors used compromised credentials for DNS registrar and DNS hosting accounts to modify the victims’ DNS data and redirect mail and web traffic to servers impersonating the legitimate ones.  Also using their control of the victims’ DNS data, the attackers were able to use the Let’s Encrypt service to issue TLS certificates to install on the impersonating servers, tricking visitors into believing they were accessing the web or mail servers securely.  The attackers’ servers then acted as “men in the middle,” connecting to the correct, legitimate servers on behalf of visitors, but observing all traffic passing through them.

Infoblox announces industry-first cloud-managed DDI for the branch office

The emergency directive requires U.S. government agencies audit all “agency-managed domains” to:

  • Determine whether their data has been modified
  • Change passwords on all accounts with the ability to modify agencies’ DNS data
  • Enable multi-factor authentication on those same accounts, if possible
  • Monitor logs to determine if unauthorized certificates have been issued for their agencies

According to the directive, these measures must be completed by February 5, 2019. (I sure hope the Federal government isn’t still shut down then.)

I’d note that these precautions are useful not just for U.S. government domains, but for any important domains run by organizations around the world, government or not. For all the attention that we give to cache poisoning attacks, it’s much more common for attackers to gain control of a victim’s DNS data using stolen or guessed credentials to a registrar or DNS hosting account.

Labels:

Cricket Liu

Chief DNS Architect at Infoblox

Cricket is one of the world’s leading experts on the Domain Name System (DNS), and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an Internet consulting and training company, Acme Byte & Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including “DNS and BIND,” one of the most widely used references in the field, now in its fifth edition.

View All Posts
×