The U.S. government may be shut down, but cyber criminals aren’t. Yesterday, the Department of Homeland Security issued an emergency directive to civilian agencies that requires immediate action to mitigate the impact of a global Domain Name System (DNS) hijacking campaign.
On January 22, Christopher Krebs, Director of the Cyber Security and Infrastructure Security Agency (CSISA) issued a letter that warned of “multiple executive branch agency domains that were impacted by the tampering campaigns and has notified the agencies that maintain them." The DHS warning follows an earlier warning from FireEye which indicated a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa.
According to Threat Post, “DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer’s transmission control protocol/internet protocol (TCP/IP) settings – generally by modifying a server’s settings.”
These DNS hijacking attacks would allow criminals to redirect and intercept web and mail traffic by directing traffic to a controlled address. They could then obtain encryption certificates that would allow them to decrypt and read incoming traffic. Even worse, these fraudulent certificates would allow browsers to establish a connection without any certificate errors as the certificate would be trusted.
In the emergency directive, Krebs outlines in more detail how the DNS attacks are perpetrated:
The emergency directive requires “near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.” CISA is giving agencies 10 business days to audit public DNS records and secondary DNS servers, update passwords for all accounts on systems that can change DNS records, add multi-factor authentication and monitor certificate transparency logs.
Kevin Bocek, vice president of security strategy and threat intelligence for Venafi cautions, “This warning from the DHS demonstrates a rising tide of encryption attacks that can no longer be ignored. Attackers are essentially going after the system of trust that underpins security for the Internet: machine identities, such as TLS keys and certificates.Ultimately, if attackers can break DNS, steal TLS keys or misuse certificates any government can be spoofed, and their private communications exposed. And, research from FireEye show us that these attacks are being exploited now.”
Identifying anomalous certificates may be a challenge for agencies that do not have a complete and accurate inventory of their entire population of their machine identities. This has been evidenced by recent examples of untracked or unmanaged certificates expiring at federal agencies during the government shutdown.
“The urgency of this DHS warning makes it clear that our government is vulnerable to attackers targeting machine identities,” notes Bocek. “Even though most agencies are working with a very limited staff due to the shutdown, this warning makes it clear that they need to use their limited resource to make sure they have good intelligence on how their TLS keys and certificates are being used internally as well as a clear understanding of how they are being used across the Internet. They also need to make sure their private keys are secure and have the ability to change them quickly.”
Can your organization quickly identify vulnerable machine identities?