The Department of Homeland Security's newly created Cybersecurity and Infrastructure Security Agency (CISA) issued its first-ever emergency directive on Tuesday, instructing federal government agencies to take preventative measures against an ongoing DNS hijacking campaign that has recently affected several executive branch domains.
Cisco Systems' Talos research unit first reported on the DNS infrastructure tampering in November 2018. The attacks, which FireEye has tentatively attributed to Iran-sponsored actors, have hit targets not only in North America, but also in Middle East and North Africa and Europe.
In a typical scenario, the attackers compromise or steal credentials that allow them to access a specific organization's DNS records. They then modify those records by replacing the organization's legitimate website address with a malicious address, where unsuspecting site visitors will be redirected. The perpetrators also obtain valid encryption certificates for the target's domain names, which allows them to decrypt any sensitive data that gets redirected to them.
Under authorities granted by Congress in the Cybersecurity Act of 2015, CISA responded with Emergency Directive 19-01, which orders federal agencies to audit their public DNS records for all authoritative and secondary DNS servers to ensure users are directed to the correct online destination. To further mitigate risk, agencies are also to change DNS account passwords, add multi-factor authentication as a security feature. Agency officials have until Feb. 5 to comply.
The directive also states that within 10 business days, CISA will "begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains..." Agencies must then respond by monitoring CT log data for any unauthorized certificates.
In turn, CISA will provide technology assistance to agencies that discover any anomalous DNS records.
The Cybersecurity and Infrastructure Security Agency was formed on Nov. 18, 2018 when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018, which redesignated the National Protection and Programs Directorate (NPPD) as CISA.
In a blog post on Thursday, CISA Director Christopher Krebs explained why the threat prompted his agency to deliver a directive. "We know an active attacker is targeting government organizations," wrote Krebs. "Using techniques that aren't especially innovative, we know they can intercept and manipulate legitimate traffic, make services unavailable or cause delay, harvest information like credentials or emails, or cause a range of other malicious activities."
"We know that this type of attack isn’t something many organizations monitor for or have tight controls around," he continued. We know an active attacker is targeting government organizations. "Because it’s our responsibility to take actions to protect federal systems, we felt an urgent response was required to address the risk."