DNS ‘tampering campaign’ takes place amid ongoing government shutdown

The US Department of Homeland Security (DHS) has responded to a wave of DNS tampering attacks by advising government tech workers to lock down systems.

An alert issued on Tuesday by the DHS Cybersecurity and Infrastructure Security Agency (CISA) comes amid an ongoing partial government shutdown, raising questions about whether there’s adequate cover to implement its advice.

In an Emergency Directive, DHS said that “multiple executive branch agency domains that were impacted by the tampering campaign” and is calling on agencies to audit records and lock up DNS accounts by applying multi-factor authentication – both of which measures would seem to entail a fair bit of work.

Unidentified hackers are targeting user credentials in order to alter DNS records, enabling them to redirect traffic to their own infrastructure and either snoop on traffic or (potentially) serve up malware.

The attack would also allow hackers to obtain valid encryption certificates for an organization’s domain names, thereby enabling man-in-the-middle attacks, the DHS warns.

The tactics in play align with reports of a DNS hijacking campaign exposed by FireEye earlier this month, in which attackers were said to be targeting organizations worldwide.

If it’s not part of the same attack, then it features the same tactics. The DHS even includes a link to a US-CERT advisory summarizing FireEye’s research, implying it is indeed the same thing.

FireEye said that “preliminary evidence” suggested the DNS hijacking efforts might be the work of Iran, although its researchers candidly admitted they’d hadn’t yet positively confirmed the hacking group involved.

Whoever might be behind the attacks if, of course, secondary to thwarting the ongoing problem.

The DHS is asking for defenses to be put in place within 10 business days. Status reports need to be submitted back by February 5, a tight deadline even without factoring in the ongoing US government shutdown, a factor independent infosec experts were quick to note.

Kevin Beaumont said: “US gov employees being given 10 days to introduce multi factor auth on all DNS record changes, add auditing, monitor certificate transparency somehow etc. While in a gov shutdown.”

Cricket Liu, the chief DNS architect at Infoblox, told The Daily Swig: “Enabling MFA isn’t usually much work on a per-account basis, but of course the DNS hosting provider or registrar must support it. And if an agency has many accounts, the work adds up.

“Likewise, eyeballing delegation data or A and MX records isn’t too much work on a per-zone basis, at least for someone familiar with what the data should look like. But again, if you need to check many zones, it adds up. I guess that’s a good reason to have a functioning Federal government.”

DNS – sometimes compared to a phone book – is the distributed naming service for the internet. It maps IP addresses to domain names.

Flag Day

In other DNS-related news, special indulgences and workarounds for old or misconfigured DNS servers are due to stop working on February 1.

Vendors and DNS service providers are due to drop support for these workarounds from the start of next month in order to oblige sysadmins to upgrade. Users can test how their domains will perform once the safety net is removed on the DNS Flag Day website.

On or around February 1, vendors and services providers will implement stricter EDNS handling, prompting the need to test for compliance to a technology first introduced in 1999.

Supporting upgrade laggards is holding everyone else back, according to the backers of the DNS Flag Day effort.

“The current DNS is unnecessarily slow and suffers from inability to deploy new features,” they argue.


RELATED ‘Middle-aged’ DNS tech still has legs to kick on