[ad_1]
The Department of Homeland Security has issued an emergency directive directing administrators at most federal agencies to protect their Internet domains from a series of attacks that have hit the Web sites and mail servers of the executive branch in recent weeks.
DHS's Infrastructure and Cybersecurity Agency (CISA) released the directive on Tuesday, 12 days after FireEye, a security company, warned of an unprecedented wave of attacks that changed the name system records telecommunications, Internet service providers and government agencies. DNS servers act as directories that allow a computer to find other computers on the Internet. By tampering with these records, attackers can potentially intercept pbadwords, emails, and other sensitive communications.
"CISA is aware of the many areas of executive agencies affected by the change campaign and has informed the agencies that run them," Christopher C. Krebs, Director of CISA, said Wednesday in the Emergency Directive. He continued:
Using the following techniques, attackers redirected and intercepted web traffic and email traffic and could do so for other networked services:
1. The attacker begins by compromising the user's credentials, or by obtaining them by other means, from an account that can modify the DNS records.
2. Then, the attacker modifies the DNS records, such as the Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service by an address controlled by the attacker. This allows them to direct users' traffic to their own infrastructure for manipulation or inspection before transmitting it to the legitimate service, if they wish. This creates a persistent risk beyond the traffic redirect period.
3. The attacker can set DNS registration values, he can also get valid encryption certificates for the domain names of a company. This decrypts the redirected traffic, exposing all data submitted by the user. Because the certificate is valid for the domain, end users receive no error warning.
To address the significant and imminent risks that this activity presents for information systems and agencies, this Emergency Directive requires the following short-term actions to mitigate the risks of undiscovered to prevent illegitimate DNS activity for their domains and to detect unauthorized certificates.
Krebs then asked the administrators to take the following actions over the next 10 business days:
-
- audit public DNS records on all authoritative and secondary DNS servers to verify that they are resolved at the intended location. If this is not the case, report them to CISA.
- update the pbadwords of all system accounts that can change the DNS records of the agency.
- Implement multifactor authentication for all system accounts that can modify the DNS records of the agency. If MFA can not be activated within 10 business days, administrators must provide CISA with the name of these systems, their reason, and an estimate of their activation.
The CISA directive makes no mention of the temporary closure of the government. As Ars reported on Thursday, this has had a negative impact on US government IT workers, many of whom are responsible for securing networks. (While this post was online, it was widely reported that President Trump had accepted an agreement that would reopen the government until at least February 15.) Krebs also did not identify areas of executive agencies that have been affected by the hijacking attacks.
The attacks are serious because attackers can obtain browser-approved TLS certificates for hacked domains. This allows the interception to occur without any obvious sign that something is wrong. For more information on how attacks work, see the cover mentioned earlier by Ars.
Source link
