DHS issued an Emergency Directive on January 22nd to government agencies in response to reports of compromised registrar and DNS accounts.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of multiple executive branch agency domains that were impacted by a tampering campaign and has notified the agencies that maintain them.
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
- The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
- Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
- Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
To address the significant and imminent risks to agency information and information systems presented by this activity, the emergency directive requires actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.
Agencies have ten days to complete the following mitigating activities:
- Action One: Audit DNS Records
- Action Two: Change DNS Account Passwords
- Action Three: Add Multi-Factor Authentication to DNS Accounts
- Action Four: Monitor Certificate Transparency Logs
Agencies shall provide information to CISA per the schedule below:
- January 25, 2019: Submit Status Report
- February 5, 2019: Submit Completion Report for all actions detailed above
Beginning February 6, 2019, the CISA Director will engage Chief Information Officers (CIO) and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have not completed required actions, as appropriate, to ensure their most critical federal information systems are adequately protected. By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying agency status and outstanding issues.
This Emergency Directive remains in effect until replaced by a subsequent Binding Operational Directive or terminated through other appropriate action.