On Tuesday, DHS issued an emergency directive for government agencies to verify that their DNS records are accurate. According to DHS, a series of incidents have redirected internet and email traffic.
Cyberattacks that target DNS systems are very powerful. Modifying a DNS record gives an attacker access to traffic flowing to a specific website or service or mount effective phishing attacks to collect login credentials.
The attacker can set a different IP address for a domain name than the legitimate IP address, and is undetectable to end users. Even if the domain name is typed correctly in a browser, the victim is shuffled to the bogus service that may looks legit, especially with a newly generated TLS/SSL certificate. The warning is very crucial especially during the government shutdown. Although cybersecurity monitoring services are running, a prolong shutdown will invariably have a long-term effect on readiness.
The recent warning comes after intelligence unit with FireEye and Cisco’s Talos noticed an uptick of DNS-related attacks. Earlier this month, FireEye announced a wave of DNS hijacking attacks that affected government telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. The attackers intended to compromise DNS records in order to capture login and domain credentials; however, FireEye was unable to identify the attackers. Attacks like this are hard to prevent. After the FireEye attack, DHS issued a warning about DNS hijacking. In November 2018, a similar attack occurred in the Middle East.
Call to Action:
It is recommended that government agencies check all authoritative and secondary DNS servers to ensure that records, mail exchange and name server settings are accurate.
Most attackers can change records by snagging the login credentials for DNS accounts and CISA recommends that those passwords be changed often.
A two-factor authentication be enabled for network accounts. In addition, two-factor codes should not be sent over SMS, because attackers could attempt to hijack a phone number through a fraudulent port. Another important tip is to monitor Certificate Transparency logs for new certificates that have been created for government domains.