What Does Homeland Security Say About DNS Hijacking?

Featured article by Susan Melony, Independent Technology Author

Domain Name Systems and their security and protection should be a top priority for businesses and organizations. DNS is one of the biggest points of weakness for businesses in the United States and abroad, to the point, it’s recognized by the federal government.

The interruption of DNS can cause a ripple effect throughout an organization, and this is increasingly being seen in institutions and businesses. There has been mounting media attention on the risks of DNS hijacking and what organizations can do to prevent it.

In the early part of 2019, the risks of DNS hijacking and other DNS attacks became so pertinent the Department of Homeland Security and the federal government started issuing directives on the topic.

The following are things every business should know about DNS hijacking and what the guidance is from the Department of Homeland Security.

What Homeland Said In January 2019

In January 2019, there was information issued by the National Cybersecurity and Communications Integration Center (NCCIC), which is part of the Cybersecurity and Infrastructure Security Agency (CISA).

The information said the organizations were aware of what they described as a global Domain Name System (DNS) infrastructure hijacking campaign.

According to this report, cybercriminals can use compromised credentials in order to redirect user traffic. Users, thinking they were going to the legitimate website they typed in, would actually be sent to an infrastructure controlled by hackers.

As a result of the redirect, the hackers could then get encryption certifications for the domain names, and this is how they can carry out what are called man-in-the-middle attacks.

A revision of the alert was issued in February 2019, and in the update, there were details as to the different types of recognized attacks. Steps that attackers use, according to the Homeland Security alert include:

– Attacks compromise user credentials or get them through different means in order to change DNS records.

– The attacker might alter DNS records such as Name Server Records or Address records.

– When the attacker sets the DNS record values, they are also able to then get encryption certifications, and this allows them to decrypt the traffic being redirected.

– On the user’s end, there are no warnings or error messages during these attacks.

The DHS issued an emergency directive related to the topic at the start of the year, which is fairly rare. They were worried about the vulnerability of federal agencies in particular in doing so, but of course, it caught the attention of businesses as well.

For federal agencies, the DHS directive gave them ten days to verify the accuracy of DNS records.

DHS said at that time, they were aware of multiple executive branch domains impacted by DNS hijacking.

What Can You Do to Protect Against the Threat?

NCCIC issued the following advice to help organizations and businesses protect their network against this threat:

– They advised organizations to use multifactor authentication on their domain registrar accounts or other systems within the organizations used for the modification of DNS records.

– Verify DNS infrastructure is pointing to the right IP address or hostname—this includes second-level domains, sub-domains, and other related resource records.

– Search for domain encryption certificates and revoke any that are found to be fraudulently requested.

– Update passwords for all accounts able to change DNS records

FireEye Research

The information Homeland Security used in issuing their emergency directive came from research conducted by FireEye and Cisco.

According to FireEye’s research, an unknown actor possibly related to Iran was hijacking parts of the internet’s infrastructure. The goal in doing so was to target government traffic and telecommunications organizations as well.

FireEye also wrote about the increasing prevalence of DNS hijacking attacks that were affecting the Middle East, North Africa, and Europe.

Lebanon is one exactly of a country impacted by the DNS hijacking. The Finance Ministry had their email redirected because of a DNS attack. In the UAE, there was an attack on the Telecommunications Regulatory Authority and Middle East Airlines.

FireEye, when they issued their report said they weren’t entirely sure how attackers were able to so easily divert traffic. The report indicated there was the possibility they were using multiple approaches to get onto DNS systems in the first place.

Examples of possible methods cited include phishing to steal credentials and compromising domain registrar accounts.

While the above information relates primarily to governmental entities, it’s more important than ever before for private businesses to be aware of the potential for DNS hijacking and related attacks as well.