DHS issues security alert concerning recent attacks on DNS hijacking

DHS Issues Security Alert

DHS establishes a four-step plan of action to investigate DNS hacks and to secure DNS management accounts.
The US Department of Homeland Security (DHS) today published an “Emergency Directive “containing guidance on a recent report detailing a wave of incidents of DNS hijacking from Iran.

The Emergency Directive requires government agencies to audit DNS records for unauthorized edits, change passwords and allow multi-factor authentication for all accounts where DNS records can be managed.

The DHS documents also urge IT staff to monitor Certificate Transparency (CT) logs for newly issued TLS certificates issued for government domains but not requested by government employees (a sign that a malicious actor has hijacked the DNS records of a government domain and now requests TLS certificates). Following last week’s emergency directive, the DHS issued an alert about ongoing DNS hijack attacks through its US-CERT division.

The DHS US-CERT warning was based on a report by the US cyber security firm FireEye published last week. The now infamous report detailed a coordinated hacking campaign during which an Iranian cyber espionage group had manipulated DNS records for private companies and government agencies.

The purpose of these DNS hijacks was to redirect web traffic for internal email servers of companies and agencies to malicious clones in which the Iranian hackers recorded login credentials.

According to Fireye, the alleged Iranian group changed DNS records for victim companies / agencies after hacking into web hosting or domain registrar accounts, modifying official websites ‘ DNS records, pointing web traffic to their malicious servers, and then redirecting legitimate traffic to the legitimate website of the victim after collecting login details.

According to a Cyberscoop report from earlier today, at least six civil agency domains affected by DNS hijacking attacks are currently known to the DHS.

Now, DHS officials want to know how this campaign affects all US government agencies and give agencies 10 working days (two weeks) to complete a four-step action plan detailed in the directive.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.