The U.S. government may be shut down, but cyber criminals aren’t. Yesterday, the Department of Homeland Security issued an emergency directive to civilian agencies that requires immediate action to mitigate the impact of a global Domain Name System (DNS) hijacking campaign.
On January 22, Christopher Krebs, Director of the Cyber Security and Infrastructure Security Agency (CSISA) issued a letterthat warned of “multiple executive branch agency domains that were impacted by the tampering campaigns and has notified the agencies that maintain them." The DHS warning follows an earlier warning from FireEye which indicated a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa.
According to Threat Post, “DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer’s transmission control protocol/internet protocol (TCP/IP) settings – generally by modifying a server’s settings.”
These DNS hijacking attacks would allow criminals to redirect and intercept web and mail traffic by directing traffic to a controlled address. They could then obtain encryption certificates that would allow them to decrypt and read incoming traffic. Even worse, these fraudulent certificates would allow browsers to establish a connection without any certificate errors as the certificate would be trusted.
In the emergency directive, Krebs outlines in more detail how the DNS attacks are perpetrated:
The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
The emergency directive requires “near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.” CISA is giving agencies 10 business days to audit public DNS records and secondary DNS servers, update passwords for all accounts on systems that can change DNS records, add multi-factor authentication and monitor certificate transparency logs.
Kevin Bocek, vice president of security strategy and threat intelligence for Venafi cautions, “This warning from the DHS demonstrates a rising tide of encryption attacks that can no longer be ignored. Attackers are essentially going after the system of trust that underpins security for the Internet: machine identities, such as TLS keys and certificates.Ultimately, if attackers can break DNS, steal TLS keys or misuse certificates any government can be spoofed, and their private communications exposed. And, research from FireEye show us that these attacks are being exploited now.”
Identifying anomalous certificates may be a challenge for agencies that do not have a complete and accurate inventory of their entire population of their machine identities. This has been evidenced by recent examples of untracked or unmanaged certificates expiring at federal agencies during the government shutdown.
“The urgency of this DHS warning makes it clear that our government is vulnerable to attackers targeting machine identities,” notes Bocek. “Even though most agencies are working with a very limited staff due to the shutdown, this warning makes it clear that they need to use their limited resource to make sure they have good intelligence on how their TLS keys and certificates are being used internally as well as a clear understanding of how they are being used across the Internet. They also need to make sure their private keys are secure and have the ability to change them quickly.”
Can your organization quickly identify vulnerable machine identities?