Updated: Dec 16, 2019
Let’s get right to it: Cyber criminals are conducting what essentially is Man-in-The-Middle attacks on Domain Name Servers (DNS) as an end-run around encryption. The Department of Homeland Security (DHS) has also issued a directive to agencies addressing this particular cybersecurity threat.
Here’s How It Works
DNS controls most global internet traffic – translating domain names to the number computers actually use for processing client requests – however, what some cyber-criminals have proven adept at doing is intercepting and re-routing the IP address records and replacing it with ones under their control. The user is first directed to the criminal’s infrastructure for “inspection” where the record is manipulated and decrypted, the sent to the real address so that everything looks normal.
Another form of attack called a TCP SYN flood attack a type of Distributed Denial of Service (DDoS) attack, is quite common as well. Close to half of all observed attack-traffic came from Windows systems that were compromised and turned into botnets. iOS devices were the next-largest source. In terms of where the majority of these attacks originated from, China came in first place, followed by Turkey and the United States.
So, where do we go from here?
This particular exploit is being monitored on government and communications infrastructures across North America, Europe, the Middle East and North Africa.
The below as per DHS is “a set of risk-informed, straightforward, and high impact/low burden actions that agencies must take to harden systems and improve awareness and trustworthiness of key security processes.”
Agencies have until Feb. 5 to do the following four necessary actions:
Audit public DNS records on all DNS servers to make sure that they route to the intended location. Report them to CISA if they do not.
Update passwords for all DNS accounts on systems that can change DNS records.
Enable multi-factor authentication (MFA) to all accounts on systems that make changes to DNS records. If MFA cannot be set up, report the reason why to CISA.
CISA will deliver Certificate Transparency (CT) logs for agency domains through the Cyber Hygiene service. It is up to agencies to monitor CT log data for unauthorized issuance of certificates and report the certificate to CISA.