The Department of Homeland Security (DHS) issued an emergency order on Tuesday afternoon in an effort to mitigate Domain Name System (DNS) infrastructure tampering. DHS and the Cybersecurity and Infrastructure Security Agency (CISA) have been tracking incidents of tampering where multiple executive branch agency domains were impacted.
Attackers doing the tampering were able to redirect and intercept web and mail traffic using a variety of techniques. Attackers could compromise user credentials, alter DNS records and replace a legitimate address with a one that the attacker controls, and once the attacker is able to set DNS record values, they can obtain valid encryption certificates for an organization’s domain names.
Agencies will be required to audit their DNS records, change DNS account passwords, add multi-factor authentication to DNS accounts, and monitor certificate transparency logs.
“Beginning February 6, 2019, the CISA Director will engage Chief Information Officers and/or Senior Agency Officials for Risk Management of agencies that have not completed required actions, as appropriate, to ensure their most critical federal information systems are adequately protected,” the emergency order reads.
CISA will provide a report to the DHS Secretary and the Director of the Office of Management and Budget identifying agency status and outstanding issues be Feb. 8.