An emergency directive ended up declared by the government to address ongoing incidents associated with global Domain Name System (DNS) infrastructure tampering.
Multiple executive branch agency domains ended up hit by the tampering campaign and has notified the agencies that maintain them, according to the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
The directive requires Federal agencies to take specific steps and comply with reporting procedures to mitigate risks from undiscovered tampering, prevent illegitimate DNS activity, and detect unauthorized certificates.
CISA is tracking a series of incidents involving DNS infrastructure tampering.
Using the following techniques, attackers have redirected and intercepted web and email traffic, and could do so for other networked services.
1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
CISA’s emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.
Action One: Audit DNS Records
Within 10 business days, for all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location. If any do not, report them to CISA.
Action Two: Change DNS Account Passwords
Within 10 business days, update the passwords for all accounts on systems that can make changes to your agency’s DNS records.
Action Three: Add Multi-Factor Authentication to DNS Accounts
Within 10 business days, implement multi-factor authentication (MFA) for all accounts on systems that can make changes to your agency’s DNS records.3 If MFA cannot be enabled, provide CISA with the names of systems, why it cannot be enabled within the required timeline, and when it could be enabled.
Action Four: Monitor Certificate Transparency Logs
Within 10 business days, CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains, via the Cyber Hygiene service.
Upon receipt, agencies shall immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA.