Emergency Directive: 3 Techniques Used in DNS Infrastructure Tampering Attack

The  DHS Cybersecurity and Infrastructure Security Agency (CISA) is issuing an emergency directive on DNS infrastructure tampering.

"Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services."

The 3 techniques used in DNS infrastructure cyber attacks

Here is what CISA has seen in multiple incidents:

1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
2. Next, the attacker alters DNS records—such as Address (A), Mail Exchanger (MX), or Name Server (NS) records—replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end-users receive no error warnings.

CISA also lists a series of cybersecurity actions to take to protect your organization or agency, including auditing your DNS records, changing DNS account passwords, adding multi-factor authentication to DNS accounts, and monitoring certificate transparency logs.

Read the CISA Emergency Directive on DNS Infrastructure Tampering for more details on near-term actions to mitigate risks from undiscovered tampering.

Government agencies given 10 days to comply with directive

With government agencies given just 10 days to implement these risk remediation measures, Congressman Jim Langevin tweeted about how that is supposed to happen during a government shutdown: