Homeland Security’s newly named agency – the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to executive branch agencies – many of which have personnel on furlough – regarding a DNS hijacking issue.
The issue is not limited to agencies and every company and private individual that owns one or more Internet domains should take immediate action.
CERT’s alert is based, in part, on FireEye’s report issued last week of a coordinated campaign run by state sponsored hackers, possibly out of Iran, to hijack agency, business and consumer Internet domain names.
Using very traditional phishing techniques, the attackers steal credentials to log in to the user’s account at domain registrars around the world. Once they have access to the user’s domain administration pages, they can redirect web site visitors and email to their servers, using this to steal credentials from web site visitors and email recipients.
The hackers redirect the users to the legitimate web site after stealing their credentials.
DHS is giving agencies, many of which have very limited staff due to the shutdown, 10 business days to complete an action plan.
There are no consequences if the agency blows off DHS, which many do on normal day. Under the current circumstances, likely even more with do so. This means, of course, that you should consider any government server suspect, especially if it asks you for a userid and password.
DHS is admitting to at least 6 agencies who have had their DNS records hijacked. Likely there are more; some of whom do not know that they have been hijacked for a variety of reasons.
If you are not a government agency (or even if you are), here are some things that you should do:
- Implement multi-factor authentication on any domain registrar accounts that can control DNS or web site settings. Examples of big domain registrars are Go Daddy, Wix, Hostgator, 1&1 IONOS, Network Solutions and others.
- Verify that existing DNS records for domains and sub-domains have not been altered for any resources.
- Search for SSL/TLS certificates which may have been issued by registrars but not requested by an authorized person. These certificates would allow an attacker to masquerade as a legitimate version of the web site and steal visitor’s credentials or install malware on visitor’s computers and phones.
- Conduct an investigation to assess if attackers gained access to your environment.
- Validate the source IPs in OWA/Exchange logs.
Information for this post came from ZDNet and the US Computer Emergency Response Team at Carnegie Mellon.