DHS Emergency Directive Looks to Block Iranian DNS Threat

The US Department of Homeland Security (DHS) has taken the unusual step of issuing an emergency directive demanding government agencies take urgent action to protect DNS infrastructure, in response to a major attack campaign.

The Mitigating DNS Infrastructure Tampering directive was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and details the modus operandi of recently reported Iranian activity designed to intercept and redirect web and mail traffic.

The attackers are said to obtain or compromise user credentials to make changes to DNS records, directing users to their own infrastructure for “manipulation or inspection” before sending them on to the legitimate service.

“Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names,” the directive continued. “This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”

This activity has been observed affecting multiple domains run by executive branch agencies, it claimed.

CISA is demanding all agencies audit their DNS records on all .gov and related domains within 10 days to see if they resolve to the intended location, and report any that don’t.

It also wants users to update passwords for any accounts that can change DNS records, and implement multi-factor authentication (MFA) for these, again within the 10-day timeframe.

CISA also gave notice of a new Certificate Transparency initiative which agencies will have to participate in, by monitoring any log data for issued certificates that they didn’t request.

The urgent nature of the directive points to its criticality at a time when the government remains mired in the longest shutdown on record over President Trump’s border wall demands.

In early January, FireEye detailed the cause of the problem, a global DNS hijacking campaign traced back to Iran targeting “dozens” of domains run by government, telecommunications and internet infrastructure providers in the Middle East and North Africa, Europe and North America.

It’s thought that confidential information from Middle East governments may be the ultimate target of the operation.

What’s Hot on Infosecurity Magazine?