Department of Homeland Security Warns About DNS Hijacking

On January 22, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued a Emergency Directive – 19-01 – outlining steps you can take to mitigate a new threat discovered of DNS tampering / hijacking.

Hackers capturing user credentials that have the authority to make changes to the Domain Name System (DNS), through fishing or other means, have been redirecting web, email, and potentially other traffic to systems they control. In some instances they intercept data and can even store and forward the received data to further hide the malicious activity to avoid or prolong detection by the targeted entity.

At Priasoft, we understand that security is a top concern for IT and are working hard on new security technologies that we are bringing to market in Q3 2019 that can mitigate this type of threat. We have several security products we are bringing to market to combat the security vectors we see as under severed and unprotected, including DNS and email phishing. If you would like to receive early notification as we complete the testing, development, and release cycles please contact us here.

We have outlined the background in the directive below and encourage administrators that have credentials to manage DNS to review key DNS records, change their passwords, and fully read the DHS directive to avoid being compromised by this latest attack technique.

Background from the DHS Directive

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

In closing, attackers are becoming more and more creative in the types of attacks and this DNS attack is just one of the many new threat vectors IT needs to monitor and secure. More than ever,  IT needs to remain diligent to avoid being the victims of attacks.