The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has sent out a directive on Tuesday to administrators of other agencies to protect their government domains after a recent waves of attacks against websites and email servers.
This directive has been issued after the cybersecurity firm FireEye issued a report warning of three different attacks that can be used to manipulate and hijack DNS records that have been used since 2017 to alter DNS records of ISPs, telecoms, and government agencies. These attacks potentially lets an attacker intercept data such as emails and passwords. In an emergency directive on Wednesday, CISA Director Christopher C. Krebs wrote that:
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services:
The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.
He then followed with a list of steps in the same document for administrators to take in the next 10 business days.
This directive has the potential to create a wave in the government security industry. This directive in the face of the government shutdown may cause employees to migrate to the private sector and to also cause professionals to think twice before joining the government sector. The private sector is already known to pay much more than the government but the government has been known to be somewhat consistent. With this shutdown, the assurance of pay consistency goes out the door.