Attackers have begun to take advantage of the government shutdown in the United States, launching a DNS-hijacking campaign targeting federal departments that has prompted an emergency directive from the country’s top cybersecurity agency ordering agencies to implement multi-factor authentication on privileged accounts and audit their DNS records, among other actions.
The emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA), published Jan. 22, is the first one the agency has issued and comes at a time when much of the federal government’s workforce is idle, including technical personnel. The directive is just the third in the last 12 months and it includes a rather dire warning about the ongoing DNS hijacking activity, which the agency says has affected “multiple executive branch agency domains”.
CISA’s directive says that the ongoing attacks begin with adversaries compromising the credentials used for accounts that have access to an agency’s DNS records. The attackers then modify one or more of the address, mail exchange, and name server records so that the agency’s legitimate address is swapped out for one the attacker controls.
“This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection,” the CISA directive says.
“Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”
In its directive, CISA orders agencies to implement MFA on accounts with access to DNS records within 10 business days and audit public DNS records for suspicious entries within the same time frame. The directive also orders agencies to change the passwords on accounts with access to DNS records and to monitor certificate transparency logs for unexpected certificates. CISA plans to deliver new certificates for affected domains in the next few days.
DNS hijacking and tampering can come in lots of different shapes and sizes, but the ultimate goal is the same: silently redirecting traffic through an attacker-controlled server. The sequence the CISA directive describes is a typical chain of events for this kind of campaign and most large organizations--such as federal agencies--have some experience with DNS hijacking, whether it’s accidental or malicious. But due to the government shutdown that’s now in its second month, many government agencies are working with skeleton IT and security staffs and could have problems finding the personnel to implement the changes that CISA is ordering.
Chris Krebs, the director of CISA, said in a series of messages on Twitter that the agency realizes that some agencies are short of staff, but still expects those agencies to take the necessary steps.
“This goes under the category of unforced errors. With a little bit of due diligence you can keep yourself out of trouble here."
“The American public should never have to question the security of their interactions with the federal government, whether their sensitive data is at risk, or that the information they rely on from the Government may have been tampered with,” Krebs said.
“Though we recognize that some agencies may have challenges implementing the directive during the ongoing partial government shutdown, we believe these actions are necessary, urgent, and implementable as most agencies are adequately staffed to take the necessary actions.”
Security firms FireEye and Cisco Talos have published technical analyses of recent DNS-hijacking campaigns targeting various organizations, including some government agencies in the Middle East. It’s not clear whether the current campaign affecting federal agencies is related to the earlier attacks, but the effects are similar. Security experts emphasize that the weaknesses that lead to DNS hijacking or tampering are well-understood and easily addressed.
“This goes under the category of unforced errors. With a little bit of due diligence you can keep yourself out of trouble here. A lot of people outsource DNS to a third-party provider and they might not have the best security hygiene on that portal, so if I can get in there with someone’s credentials then that gives me a pretty high level of control,” said Patrick Sullivan, senior director of security technology and strategy at Akamai.
“If you control DNS, you control quite a bit of that site. This isn’t one of those exotic attacks where the attacker is using a mind-blowing technique. It’s an education effort.”
CISA’s Krebs said in a blog post published Jan. 24 that the agency is still assessing the effects of the DNS-tampering attacks on federal agencies, but that officials were concerned enough to issue the directive and get agencies moving to counter the threat.
“We know an active attacker is targeting government organizations. Using techniques that aren’t especially innovative, we know they can intercept and manipulate legitimate traffic, make services unavailable or cause delay, harvest information like credentials or emails, or cause a range of other malicious activities. We know that this type of attack isn’t something many organizations monitor for or have tight controls around,” Krebs wrote.