The Homeland Security Department issued an emergency cybersecurity directive Tuesday to all federal agencies warning of a critical weakness and giving departments less than two weeks to act.
The newly named Cybersecurity and Infrastructure Security Agency—formerly the National Protection and Programs Directorate—issued a sweeping emergency directive requiring agencies to take several steps to secure web traffic routing through the Domain Name System, which manages internet traffic flow worldwide.
Using administrative credentials stolen elsewhere, hackers could gain access to an organization’s DNS records and change key information that then routes traffic through a platform controlled by the attacker. Once set up as a man-in-the-middle, the attackers can reroute and change information and gain full access to systems, with all the needed credentials to decrypt data and otherwise wreak havoc.
Researchers have seen this exploit at work in recent weeks targeting governments and communications infrastructure in North American, as well as Europe, the Middle East and North Africa.
Cybersecurity researchers at FireEye reported the attacks to Homeland Security in early January. While researchers were not able to tie the attacks to a specific group, “initial research suggests the actor or actors responsible have a nexus to Iran,” they wrote in a Jan. 9 blog post.
“While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale,” researchers said.
The directive issued Tuesday includes a link to a US-CERT alert that cites the current research from FireEye and research from Cisco Talos Intelligence posted in November.
Ben Read, a senior manager at FireEye, said the company worked with a number of Middle Eastern governments affected by the campaign and offered an example of what one went through.
“All of the mail traffic for this Middle Eastern government went to this actor-controlled machine where the bad guys were able to read all of it. But they then forwarded it on to the government machine where it was supposed to go. So, for users it didn’t look like anything was wrong,” he told Nextgov.
“It’s a really big deal if this is used because they essentially get all email traffic, if they do it right. It’s not like, ‘Oh, they got onto one machine and got one dude’s files.’ If you’re intercepting all the files that are going to a [mail exchanger] record, for example, you could read all of a domain’s emails.”
Not only that but once the DNS record is redirected to an attacker’s machine, hackers no longer have to do any malicious work on the targeted system.
“This information is getting intercepted and stolen when it’s outside your network—when it’s transiting,” Read explained. “My anti-virus isn’t going to fire and there’s nothing on the government server itself that is going to be inherently malicious. It’s just getting intercepted in the middle, taking advantage of what is a blind spot.”
Read clarified that this exploit is not a zero-day—a term used to describe newly found flaws in software and infrastructure—but has existed for the life of the internet.
“This attack, in theory, could have been done 20 years ago,” he said. “We’ve seen incidents of it before. … But the breadth of [this latest attack], we, at least, haven’t seen before.”
Tuesday’s directive gives agencies until Feb. 5 to tic through four required actions:
- Audit DNS records to ensure servers resolve to the right locations and haven’t been hijacked.
- Change passwords on all accounts with administrative DNS access.
- Add multifactor authentication to those accounts to prevent future compromise.
- Monitor certificate transparency logs to ensure all new security certificates coming through are those issued by CISA.
Despite being in the midst of a partial shutdown—which includes a lapse in appropriations for the Homeland Security Department—CISA has given agencies three days to submit an initial status report and 10 days to complete the four mandatory actions.
The directive also states that CISA Director Chris Krebs will work with department chief information officers at agencies that don’t meet the deadline.
These actions are exactly what the government should be doing to address this vulnerability, Read said. He offered three steps for potentially affected organizations to take: “First, shut off the access and repoint your DNS record where it’s supposed to go. Second is try to make sure that they can’t manipulate it again.”
The DHS directive outlines those first two steps but does not include instructions for remediation if a problem is discovered.
In those cases, the last step is to “figure out what information they got when they were intercepting the traffic” and whether other credentials or data were stolen or altered, he said.
Read said FireEye has not discovered any compromise of U.S. government DNS records. He said that while emergency directives of this sort are rare, it doesn’t necessarily mean the campaign is targeting the U.S. government.
“It could imply a couple of different things,” Read offered. “It could imply there’s been a compromise and they’re really worried about it. Or it could imply they’ve seen evidence—the government has lots of sources—that there’s planning to do this and so they want to get ahead of it.”
CyberScoop broke the news Tuesday of the directive’s impending release.