US gov issues emergency directive after wave of domain hijacking attacks

The US Department of Homeland Security (DHS) has issued an emergency directive tightening DNS security after a recent wave of domain hijacking attacks targeting government websites.

Under the directive, which appeared a week after a US-CERT warning on the same topic, admins looking after US .gov domains have until 5 February to do all of the following or explain why they can’t:

• Verify that all important domains are resolving to the correct IP address and haven’t been tampered with.
• Change passwords on all accounts used to manage domain records.
• Turn on multi-factor authentication to protect admin accounts.
• Monitor Certificate Transparency (CT) logs for newly issued TLS certificates that might have been issued by a malicious actor.

The warning mentions domain hijacking campaigns publicised by security companies in November and January, only one of which alluded to targets that might include US government sites.

The DHS warning is more specific:

CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.

Separately, the CyberScoop website quoted unnamed sources as telling it that at least six US civilian agencies had been “affected by the recent malicious DNS activity”.

Six agencies is a lot, which underlines why the directive is billed as an emergency.

What is domain hijacking?

Domain hijacking has been a persistent issue in the commercial world for years, a prime example of which would be the attack that disrupted parts of Craigslist in November 2014.

In that incident, as in every successful every domain hijacking attack, the attackers took over the account used to manage the domains at the registrar, in this case, Network Solutions.

The objective is to change the records so that instead of pointing to the IP address of the correct website it sends visitors to one controlled by the attackers.

This change could have been made using impersonation to persuade the registrar to change the domain settings or by stealing the admin credentials used to manage these remotely.

It’s a potent attack – web users think they’re visiting the correct website because they’ve typed the correct domain in their address bar and have no reason to doubt where they end up.

For attackers, it’s the perfect crime that avoids the much harder job of having to take over the real website.

DNS hijacking and cache poisoning

DNS can be manipulated in other ways, including DNS hijacking where someone’s browser, computer or home router is compromised to resolve domains via a malicious DNS server, or through cache poisoning in which the same end is achieved either by manipulating address data cached locally on the computer or home router, or at a higher level in the DNS infrastructure itself.

Because the US Government manages thousands of domains through a sprawl of devolved agencies, securing them was never going to be easy.

The added complication is the fact that some agencies are short on staff thanks to the partial government shutdown. Tweeted Chris Krebs of the DHS Cybersecurity and Infrastructure Security Agency (CISA) on this issue:

Though we recognize that some agencies may have challenges implementing the directive during the ongoing partial government shutdown, we believe these actions are necessary, urgent, and implementable as most agencies are adequately staffed to take the necessary actions. 6/7

— Chris Krebs #Protect2020 (@CISAKrebs) January 23, 2019