DHS issues security order after DNS hijack attacks from Iran, 6 agency domains already affected

The Department of Homeland Security on Tuesday issued an emergency security alert urging federal civilian agencies to secure login credentials for their respective internet domain records.

The alert follows up on a recent report of DNS attacks said to have originated in Iran.

In today's statement, DHS says managers need to audit DNS records for unauthorized edits, update their passwords, and turn on multi-factor authentication for all accounts through which DNS records could be altered. Agencies have two weeks to implement the directives.

Cyberscoop today reported that DHS is aware of at least six civilian agency domains that have been impacted by DNS hijacks.

Read it in full at cyber.dhs.gov: Emergency Directive 19-01 [January 22, 2019], 'Mitigate DNS Infrastructure Tampering.' There's also a PDF link.

Excerpt from the 'background' section of the document:

In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.

Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls.