In an emergency directive issued within the past few hours, IT staff still manning their posts during the partial US government shutdown are advised to lock down their domain name settings for their .GOVs and other official web addresses.
Uncle Sam’s techies have been told to use fresh, strong passwords for DNS settings, enable multi-factor authentication to thwart unauthorized changes to their domains, make sure web addresses resolve to the correct IP addresses, and monitor logs for signs of shenanigans.
The instructions were issued after Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) became aware of miscreants compromising the DNS infrastructure for “multiple executive branch agencies.” The total number is at least six, according to Washington DC-based CyberScoop.
Earlier this month, infosec biz FireEye reported a very similar domain hijacking campaign, quite possibly orchestrated by Iran, that redirected Middle Eastern government emails through Iranian IP addresses.
Once hackers get hold of DNS account passwords, or bruteforce weak ones, they can change name servers, domain and sub-domain records, and MX settings so that netizens connecting to a government website or server are instead redirected to malicious systems that masquerade as the legit site. This allows stuff like emails, usernames, and passwords to be potentially harvested. HTTPS encryption really won’t help, the advisory added, because attackers can obtain valid certificates for the hijacked domain names.
This is why America’s chiefs want agencies – and presumably those following along at home – to use strong passwords and multi-factor authentication for their domain management accounts to prevent domain hijackings. CISA added these DNS joyrides are “a risk that persists beyond the period of traffic redirection.”
Here’s the key lines from the directive, and it won’t hurt to implement these yourself:
* Within 10 business days, for all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location. If any do not, report them to CISA.
* Within 10 business days, update the passwords for all accounts on systems that can make changes to your agency’s DNS records.
* Within 10 business days, implement multi-factor authentication (MFA) for all accounts on systems that can make changes to your agency’s DNS records. If MFA cannot be enabled, provide CISA with the names of systems, why it cannot be enabled within the required timeline, and when it could be enabled.
Some agencies may struggle somewhat to comply: as you can see, the emergency directive requires these actions to be undertaken within 10 business days, something that may be difficult amid President Trump and Senate majority leader Mitch McConnell (R-KY)’s ongoing partial government shutdown. Last week, Netcraft noted the shutdown had prevented renewal of more than 130 US government-owned-TLS certificates.
CISA also said that within 10 business days, it will “begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains, via the Cyber Hygiene service.” Once it starts distributing those logs, agencies are directed to monitor them to spot any certificates they didn’t issue.
Given the lack of IT staff on hand to do the job, the directive’s requirements are unlikely to be followed through by all departments. Attackers will, no doubt, be banking on Americans being distracted by arguments over a physical wall, allowing the miscreants to slip through the firewalls instead.