Special Directive on Domain Name System (DNS) Compromise

Last week the USA’s Department of Homeland Security (DHS) sent out a directive for all agencies to upgrade their Domain Name System (DNS) security in light of a wave of Iranian hack attempts specifically targeted at compromising DNS.

The compromise

The Iranian cyber-criminals attempted (it’s unknown if they succeeded), to figure out through DNS records who the registrar of the DNS for the specific agencies was and then attempted to crack the credentials to be able to administer the DNS zones. If successful they could then forward all traffic from the zones to their own networks, copy all the data, and then forward the traffic back to its intended destination so as not to cause any alarm.

This would allow them a wealth of information. At a minimum it would help them discover who is communicating with the agency, but it’s highly likely they would get even more value, for example any communications not encrypted could be read, and if encrypted the encryption could be attempted to be cracked, potentially password hashes could be discovered and cracked gaining the criminals deeper access to sensitive agency information.

New and inventive?

Wow, some may think ‘how ingenious’. Not really,.  Back in September of 2017 the exact same thing happened to Fox-IT, a cybersecurity vendor. Fox-IT reported “In the early morning of September 19 2017, an attacker accessed the DNS records for the Fox-IT.com domain at our third party domain registrar. The attacker initially modified a DNS record for one particular server to point to a server in their possession and to intercept and forward the traffic to the original server that belongs to Fox-IT. This type of attack is called a Man-in-the-Middle (MitM) attack. The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack.”

You can read more about the incident here https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/

At that point one would think the alarm would be raised to do what the DHS is now recommending for agencies (something Foresite’s consulting and compliance group has recommended for years).

The actions recommended are:

  1. Audit DNS Records
  2. Change DNS Account Passwords
  3. Add Multi-Factor Authentication to DNS Accounts
  4. Monitor Certificate Transparency Logs

You can read the full directive here: https://cyber.dhs.gov/ed/19-01/

The UK

The UK’s National Cyber Security Centre (NCSC) has taken note and is launching its own investigation.  The NCSC alert lists a number of indicators of compromise (IoC) that have been reported and advises organization to monitor for these IoCs on their networks.

The NCSC said it is working with industry partners and international government counterparts to understand the attack campaign’s impact and identify defensive measures.
In the meantime, the NCSC has recommended that organizations responsible for registering domains take mitigating steps in these areas:

  1. Ensure two-factor authentication is enabled in all registrar or registry accounts, and that the passwords are not easily guessed, are stored securely, and not reused across services.
  2. Attackers may attempt to use account recovery processes to gain access to domain management, so ensure that contact details are accurate and up to date.
  3. Many registrars and registries offer “lock” services to require additional security enhancing steps before changes can be made. Understand any “lock” services available to you, and consider applying them, particularly to high-value domains.
  4. Ensure any available logging is enabled, so that you can review changes that have been made.

Additional Thoughts

In addition to what the DHS, and NCSC have recommended Foresite recommends thinking long and hard about your DNS provider, as the choice can either enhance an organizations security or negatively affect it. As is often the case when cost is the first driver of decisions security usually lapses. CloudFlare and Akamai are considered the industry leaders in secure DNS, however AWS offers Route 66 which also specializes in secure DNS as does Google X, and Open DNS.  The point is to look careful at the security features they provide and make a wise choice.

Tracy Fox
+ posts

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity. 

Search