On Jan. 22, 2019, the Cybersecurity and Infrastructure Security Agency (CISA), which is a part of the U.S. Department of Homeland Security (DHS), issued Emergency Directive 19-01. The title of the directive is: Mitigate DNS Infrastructure Tampering. A series of actions are required for federal agencies, and here is the background:
“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.”
It was all over the press, but Dan Lohrmann at GovTech had a very good summary. If you want to read more, I suggest you do that here.
What Is DNS Hijacking? Definition.
There are plenty of good articles which explain what Domain Name Systems (DNS) Hijacking is, what it does and the potential impacts. This article from Dark Web News is very helpful, in my opinion. Here are a few small excerpts:
"DNS hijacking, also known as silent server swaps, is a malicious attack vector that can be used to forcibly redirect web traffic to websites that are either fake or different from the ones you’ve requested. ... "
CISA is demanding all agencies audit their DNS records on all .gov and related domains within 10 days to see if they resolve to the intended location, and report any that don’t.
It also wants users to update passwords for any accounts that can change DNS records, and implement multi-factor authentication (MFA) for these, again within the 10-day timeframe.
And as an added measure I would strongly suggest new-school security awareness training—which includes frequent simulated phishing tests—for anyone that holds the keys to the kingdom.
KnowBe4's new Phishing Reply Test (PRT) is a complimentary IT security tool that makes it easy for you to check to see if key users in your organization will reply to a highly targeted phishing attack without clicking on a link. PRT will give you quick insights into how many users will take the bait so you can take action to train your users and better protect your organization from these fraudulent attacks!
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: