- The Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued a rare emergency directive to all federal agencies to secure its DNS infrastructure, in the wake of a mass DNS infrastructure hijacking campaign.
The directive follows a DHS alert sent last week about ongoing DNS hijacking throughout the country. Since then, CISA determined multiple executive branch agency domains were impacted by the tampering campaign, where the hackers redirected and intercepted web and mail traffic.
DHS did not name the impacted agencies. However, all federal agencies, including the Department of Health and Human Services, must complete the four-step action plan within 10 business days.
First, the DNS records for all .gov or other agency-managed domains must be audited on all authoritative and secondary DNS servers to ensure they resolve to the intended location and report those that do not to CISA.
“CISA recommends agencies prioritize NS records and those associated with key agency services offered to organizational users and the public (for example, websites that are central to the agency’s mission, MX records, or other services with high utilization),” officials wrote.
Federal agencies must change all DNS account passwords on systems that can make changes to the agency’s DNS records. CISA also recommends the use of password managers to facilitate complex, unique passwords.
Multi-factor authentication has also been mandated for all DNS accounts that can make changes to DNS records. If MFA cannot be implemented, the agency must provide CISA with the names of the systems and the reason why it can’t be enabled within the 10-day timeline.
Lastly, agencies must monitor certificate transparency logs for certificates issued that the agency did not request. Those logs confirmed inaccurate must be reported to CISA, which will begin regularly delivering added certificates to CT logs for agency domains through the cyber hygiene service.
CISA will be providing agencies with technical assistance that report suspicious DNS records. Further, officials will review submissions for those who can’t enact MFA, while providing additional guidance where needed.
The DNS attacks are used to modify internet traffic within the agency and steal the desired data. The initial alert came from a FireEye report that found these cyberattacks originate from Iran.
“This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success,” the researchers wrote. “Attribution analysis for this activity is ongoing. While the DNS record manipulations described in this post are noteworthy and sophisticated, they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers.”