The US Department of Homeland Security (DHS) has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran.
The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed.
The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers (a sign that a malicious actor has hijacked a government domain's DNS records, and is now requesting TLS certificates in its).
The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division.
The DHS US-CERT alert was based on a report published last week by US cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies.
The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.
According to Fireye, the supposed Iranian group changed DNS records for victim companies/agencies after hacking into web hosting or domain registrar accounts, where they modified the DNS records of official websites, pointing web traffic towards their malicious servers, and later redirecting the legitimate traffic to the victim's legitimate site after collecting login details.
According to a Cyberscoop report from earlier today, the DHS is currently aware of at least six civilian agency domains that have been impacted by DNS hijacking attacks.
Now, DHS officials want to know the impact of this campaign on all US government agencies, and are giving agencies 10 business days (two weeks) to complete a four-step action plan detailed in the directive.
More security coverage:
- Over 4 percent of all Monero was mined by malware botnets
- Temporary fix available for one of the two Windows zero-days released in December
- Online stores for governments and multinationals hacked via new security flaw
- Websites can steal browser data via extensions APIs
- Security researchers take down 100,000 malware sites over the last ten months
- DNC says Russia tried to hack its servers again in November 2018
- Twitter messages to Russian cybersecurity firm helped NSA leak probe CNET
- Marriott reveals data breach affecting 500 million hotel guests TechRepublic