The US Department of Homeland Security (DHS) has issued an emergency directive tightening DNS security after a recent wave of domain hijacking attacks targeting government websites.
Under the directive, which appeared a week after a US-CERT warning on the same topic, admins looking after US .gov domains have until 5 February to do all of the following or explain why they can’t:
- Verify that all important domains are resolving to the correct IP address and haven’t been tampered with.
- Change passwords on all accounts used to manage domain records.
- Turn on multi-factor authentication to protect admin accounts.
- Monitor Certificate Transparency (CT) logs for newly issued TLS certificates that might have been issued by a malicious actor.
The warning mentions domain hijacking campaigns publicised by security companies in November and January, only one of which alluded to targets that might include US government sites.
The DHS warning is more specific:
CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.
Separately, the CyberScoop website quoted unnamed sources as telling it that at least six US civilian agencies had been “affected by the recent malicious DNS activity”.
Six agencies is a lot, which underlines why the directive is billed as an emergency.
What is domain hijacking?
Domain hijacking has been a persistent issue in the commercial world for years, a prime example of which would be the attack that disrupted parts of Craigslist in November 2014.
In that incident, as in every successful every domain hijacking attack, the attackers took over the account used to manage the domains at the registrar, in this case, Network Solutions.
The objective is to change the records so that instead of pointing to the IP address of the correct website it sends visitors to one controlled by the attackers.
This change could have been made using impersonation to persuade the registrar to change the domain settings or by stealing the admin credentials used to manage these remotely.
It’s a potent attack – web users think they’re visiting the correct website because they’ve typed the correct domain in their address bar and have no reason to doubt where they end up.
For attackers, it’s the perfect crime that avoids the much harder job of having to take over the real website.
DNS hijacking and cache poisoning
DNS can be manipulated in other ways, including DNS hijacking where someone’s browser, computer or home router is compromised to resolve domains via a malicious DNS server, or through cache poisoning in which the same end is achieved either by manipulating address data cached locally on the computer or home router, or at a higher level in the DNS infrastructure itself.
Because the US Government manages thousands of domains through a sprawl of devolved agencies, securing them was never going to be easy.
The added complication is the fact that some agencies are short on staff thanks to the partial government shutdown. Tweeted Chris Krebs of the DHS Cybersecurity and Infrastructure Security Agency (CISA) on this issue:
Though we recognize that some agencies may have challenges implementing the directive during the ongoing partial government shutdown, we believe these actions are necessary, urgent, and implementable as most agencies are adequately staffed to take the necessary actions. 6/7— Chris Krebs (@CISAKrebs) January 23, 2019
7 comments on “US gov issues emergency directive after wave of domain hijacking attacks”
So glad Obama gave up US control over ICANN that was just so smart..,. Dumbass.
The control was only partial (and rather loose), and would not have had any effect on something like this. But sure, go off.
Hi Brian. I understand it’s sometimes worrisome to relinquish control to another party, but how did ICANN (mis)management affect this issue? This is more about crappy passwords on GoDaddy accounts.
no pun intended
Governemental web sites are the biggest threat to the national security: an huge open door to almost any sensible information ready to be collected.
Very helpful…I’ve been in the running to become my own domain for sometime now an have tried to stay current on events. My biggest issue is entites trying to think for me..these jackers are extremist to say the very least..online support has taken a dark turn…that means we all have to go for the ride with them.
Enable DNSSEC (and other measures. I get all green checks with my (Firefox) browser at this site: https://www.cloudflare.com/ssl/encrypted-sni/
Google’s Chrome browser for Windows does not yet support Encrypted SNI though I do get green checks on the first three tests, including the DNSSEC.
DNSSEC test passing says:
Your resolver validates DNS responses with DNSSEC.
Attackers cannot trick you into visiting a fake website by manipulating DNS responses for domains that are outside their control.