The US’s recently established Cybersecurity and Infrastructure Security Agency has issued an emergency directive requiring “immediate action to protect Federal information systems from ongoing DNS hijacking and tampering activities.”
The announcement by Director Chris Krebs comes after the agency – set up last year to lead national efforts to defend critical infrastructure – was alerted to ongoing DNS hijacking and tampering activities by US cybersecurity company FireEye.
The directive lays out a set of risk-informed, straightforward, and high impact/low burden actions that agencies must take to harden systems and improve awareness and trustworthiness of key security processes. 3/7
— Chris Krebs #Protect2020 (@CISAKrebs) January 23, 2019
It follows a Department of Homeland Security alert based on a FireEye report that detailed a coordinated DNS hijacking campaign, during which a group believed to operate out of Iran had manipulated DNS records for gov’t agencies.
The DHS has demanded four actions.
1: Audit DNS Records: “Within 10 business days, for all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location. If any do not, report them to CISA.”
3: Change DNS Account Passwords: “Within 10 business days, update the passwords for all accounts on systems that can make changes to your agency’s DNS records.”
3: Add Multi-Factor Authentication to DNS Accounts: Within 10 business days, implement multi-factor authentication (MFA) for all accounts on systems that can make changes to your agency’s DNS records.
4: Monitor Certificate Transparency Logs: “Within 10 business days, CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains, via the Cyber Hygiene service.
Fixing DNS Hijacking: Not Easy During a Government Shutdown…
Furloughed staff are understood to be being called in, but they may not be paid owing to the government shutdown. Krebs said: “Though we recognize that some agencies may have challenges implementing the directive during the ongoing partial government shutdown, we believe these actions are necessary, urgent, and implementable as most agencies are adequately staffed to take the necessary actions.”
He added: “The American public should never have to question the security of their interactions with the federal government, whether their sensitive data is at risk, or that the information they rely on from the Government may have been tampered with.”
FireEye said of the attacks: “This type of attack is difficult to defend against, because valuable information can be stolen, even if an attacker is never able to get direct access to your organization’s network. Some steps to harden your organization include: Implement multi-factor authentication on your domain’s administration portal; validate A and NS record changes; search for SSL certificates related to your domain and revoke any malicious certificates; validate the source IPs in OWA/Exchange logs; conduct an internal investigation to assess if attackers gained access to your environment.”