Skip to main content
banner image
venafi logo

U.S. Department of Homeland Security Issues Emergency Directive on DNS Hijacking Attacks

U.S. Department of Homeland Security Issues Emergency Directive on DNS Hijacking Attacks

DNS hijack
January 23, 2019 | Scott Carter

The U.S. government may be shut down, but cyber criminals aren’t. Yesterday, the Department of Homeland Security issued an emergency directive to civilian agencies that requires immediate action to mitigate the impact of a global Domain Name System (DNS) hijacking campaign.

On January 22, Christopher Krebs, Director of the Cyber Security and Infrastructure Security Agency (CSISA) issued a letter that warned of “multiple executive branch agency domains that were impacted by the tampering campaigns and has notified the agencies that maintain them." The DHS warning follows an earlier warning from FireEye which indicated a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa.

According to Threat Post, “DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer’s transmission control protocol/internet protocol (TCP/IP) settings – generally by modifying a server’s settings.”

These DNS hijacking attacks would allow criminals to redirect and intercept web and mail traffic by directing traffic to a controlled address. They could then obtain encryption certificates that would allow them to decrypt and read incoming traffic. Even worse, these fraudulent certificates would allow browsers to establish a connection without any certificate errors as the certificate would be trusted.

In the emergency directive, Krebs outlines in more detail how the DNS attacks are perpetrated:

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

The emergency directive requires “near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.” CISA is giving agencies 10 business days to audit public DNS records and secondary DNS servers, update passwords for all accounts on systems that can change DNS records, add multi-factor authentication and monitor certificate transparency logs.

Kevin Bocek, vice president of security strategy and threat intelligence for Venafi cautions, “This warning from the DHS demonstrates a rising tide of encryption attacks that can no longer be ignored. Attackers are essentially going after the system of trust that underpins security for the Internet: machine identities, such as TLS keys and certificates.Ultimately, if attackers can break DNS, steal TLS keys or misuse certificates any government can be spoofed, and their private communications exposed. And, research from FireEye show us that these attacks are being exploited now.”

Identifying anomalous certificates may be a challenge for agencies that do not have a complete and accurate inventory of their entire population of their machine identities. This has been evidenced by recent examples of untracked or unmanaged certificates expiring at federal agencies during the government shutdown.

“The urgency of this DHS warning makes it clear that our government is vulnerable to attackers targeting machine identities,” notes Bocek. “Even though most agencies are working with a very limited staff due to the shutdown, this warning makes it clear that they need to use their limited resource to make sure they have good intelligence on how their TLS keys and certificates are being used internally as well as a clear understanding of how they are being used across the Internet. They also need to make sure their private keys are secure and have the ability to change them quickly.”

Can your organization quickly identify vulnerable machine identities?

Related posts

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more