DNS hijack attacks lead to government directive from DHS

The Department of Homeland Security ordered federal agencies to harden their domain name system infrastructure following a DNS hijacking campaign attributed to Iran.

Earlier this month researchers from FireEye reported DNS hijack attacks from around the world that it had been tracking for two years. The attacks were attributed to Iran and targets included government entities.

In reaction, the DHS' Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring government agencies to audit DNS records, change account passwords, add multi-factor authentication (MFA) to DNS accounts and monitor Certificate Transparency (CT) logs. Agencies have until Feb. 5 to submit completion reports proving all actions were done.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi in Salt Lake City, said the time given in the directive was "not nearly enough time -- especially with the current challenges surrounding the partial government shutdown -- for agencies to be successful."

"Strengthening DNS account security might be possible with current resources and existing tools. However, effectively detecting unauthorized malicious digital certificates is a new requirement for agencies. Virtually all cybersecurity professionals will need to develop this new skill and they also need technology to help them detect these across the entire Internet," Bocek said. "Cybersecurity professionals will need additional help deciphering the data on certificate reputation and CT log monitoring to be able to detect these attacks effectively."

Dave Klein, senior director of engineering and architecture at cloud security vendor GuardiCore, agreed that 10 days "will not suffice to comply."

"Each U.S. government agency has its own level of centralized/decentralized control structures, its own aptitudes and its own organizational personality. Even in the most centrally controlled and well-managed agencies, to validate tens of thousands of DNS records, and DNS Primary and Secondary DNS structures looking for rogue records, criminally redirected traffic and even rogue DNS servers and application servers will take well beyond five days," Klein said. "Add on the directive's order to enable two-factor authentication and to thoroughly analyze certificate transparency logs -- this too will take longer, perhaps several weeks."

Officials managing .gov domains were previously ordered to implement two-factor authentication by DotGov, the government domain registrar. The rollout of 2FA occurred from mid-November to this month and the final deadline for the last group of domains in the rollout is set for Feb. 13. It is unclear how many domains have been protected.

The directive also noted that CISA is "aware of multiple executive branch agency domains that were impacted" by the DNS hijack attacks reported and have been notified. However, Klein noted that the directive gives no indication "how long and to what extent the enemy state actor exploited their access."

"With valid certificates and access to DNS, it would not take most state actors much time to spread out into an agency's applications, creating additional administrative accounts and find places to hide," Klein added.

Chris Krebs, director of CISA, admitted on Twitter "that some agencies may have challenges implementing the directive during the ongoing partial government shutdown."

"The directive lays out a set of risk-informed, straightforward, and high impact/low burden actions that agencies must take to harden systems and improve awareness and trustworthiness of key security processes," Krebs tweeted. "These actions are basic good practices for enterprise DNS management. While the Emergency Directive only applies to Federal civilian executive branch agencies, we encourage all organizations to follow suit to prevent DNS hijacking."

Bocek said the private sector needs to learn how to protect against DNS hijack attacks.

"The private sector faces same threats, but none of the security frameworks or industry regulations really spell out what they need to do to protect themselves so at the moment most of them are blissfully ignorant," Bocek said. "Hopefully some will learn from this directive and the recommendations and understand that they need to implement the same security controls, just like federal agencies."

Klein said that many enterprises "mistakenly think that they aren't the targets of such sophisticated attacks."

"The experience shows, time and time again, they also fall prey to similar attacks. Whether a state actor looking for industrial espionage or sophisticated criminal attackers, it occurs all of the time," Klein said. "If you are running a DNS infrastructure, it should be well monitored with periodical assessment DNS records and DNS server infrastructure. It should also utilize two-factor authentication, and, within the DNS server infrastructure, as well as other critical servers, applications and services, be well segmented. Just like in the public sector, you should have tools that help you visualize your application workflows and hunt and detect criminal lateral movement."

On Wednesday, U.S.-CERT released an alert aimed at the private sector, which reiterated the DNS hijack attack mitigations directed by the DHS.