DHS issues security order after DNS hijack attacks from Iran, 6 agency domains already affected

The Department of Homeland Security on Tuesday issued an "emergency" security alert urging federal civilian agencies to secure login credentials for their respective internet domain records.

The alert follows up on a recent report of DNS attacks said to have originated in Iran.

In today's statement, DHS says managers need to audit DNS records for unauthorized edits, update their passwords, and turn on multi-factor authentication for all accounts through which DNS records could be altered. Agencies have two weeks to implement the directives.

Cyberscoop today reported that DHS is aware of at least six civilian agency domains that have been impacted by DNS hijacks.

Read it in full at cyber.dhs.gov: Emergency Directive 19-01 [January 22, 2019], 'Mitigate DNS Infrastructure Tampering.' There's also a PDF link.

Excerpt from the 'background' section of the document:

In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.

Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.

Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.

Excerpt from a related report by Catalin Cimpanu at ZDnet's Zero Day blog:

The DHS US-CERT alert was based on a report published last week by US cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies.

The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

According to Fireye, the supposed Iranian group changed DNS records for victim companies/agencies after hacking into web hosting or domain registrar accounts, where they modified the DNS records of official websites, pointing web traffic towards their malicious servers, and later redirecting the legitimate traffic to the victim's legitimate site after collecting login details.