The U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) are tracking a global domain name system (DNS) infrastructure hijacking campaign, according to a prepared statement.
In addition, DNS and CISA have identified executive branch agency domains impacted by the campaign and notified these agencies about the incident.
Global DNS infrastructure hackers are modifying executive branch agencies' domain name resources locations, the U.S. Computer Emergency Readiness Team (US-CERT) indicated. They also are using the following techniques as part of the global DNS infrastructure hijacking campaign:
- Compromise user credentials or obtain them via an account that can make changes to DNS records.
- Modify address, mail exchanger, name server and other DNS records.
- Establish DNS records values and obtain valid encryption certificates for executive branch agencies' domain names.
With these techniques, cybercriminals can redirect user traffic to attacker-controlled infrastructure, access valid encryption certificates for executive branch agencies' domain names and launch man-in-the-middle attacks, US-CERT said.
How Can Executive Branch Agencies Address Global DNS Infrastructure Attacks?
CISA offers the following recommendations to help executive branch agencies address the global DNS infrastructure hijacking campaign:
- Audit DNS records. Review DNS records associated with agency services offered to agency users and the public to verify their location; if these records are not in the proper location, notify CISA.
- Update DNS account passwords. Modify DNS passwords on all accounts that can make changes to agency DNS records and use a password manager to create complex and unique passwords.
- Leverage multi-factor authentication (MFA). Implement MFA for all accounts on systems that can make changes to an agency's DNS records.
- Track certificate transparency logs. Monitor certificate transparency log data for certificates issued by CISA.
CISA also has issued a global DNS infrastructure campaign emergency directive that will remain in place until further notice. The directive requires executive branch agencies to provide CISA with status and completion reports to verify that they have taken action to mitigate global DNS infrastructure campaign attacks.