The US Department of Homeland Security (DHS) has taken the unprecedented step of issuing an emergency directive to demand that government agencies take immediate action to protect DNS infrastructure, in response to a major attack campaign by the Iranian Regime.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued the Mitigating DNS Infrastructure Tampering directive, which detailed how the Iranian Regime’s hacking collective was infiltrating the DNS systems in order to interrupt and redirect web and e-mail traffic.

It explained that the Iranian hackers were obtaining or compromising user logins or identifications in order to make changes to DNS records by directing users to a fake login page that would save a copy of the credentials before redirecting them to the correct page.

The directive read: “Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”

This Iranian phishing scheme has been observed on multiple domains run by executive branch agencies, so CISA is demanding that all of these government agencies audit their DNS records on all .gov and related domains within 10 days in order to check whether the problem has been resolved and report any issues they encounter.

CISA also advised that during this 10-day period users update passwords for any accounts that can change DNS records and implement multi-factor authentication, which means that they log in to their accounts via a code that is sent to their phone or email address. While it is true that the Iranian hackers were sometimes able to thwart multi-factor authentication in the latest cyber attack, it relied on the user entering the code within a short timeframe and presented an additional hurdle for the Iranian hackers.

CISA also noted that agencies will have to take part in a new Certificate Transparency initiative and monitor any log data for issued certificates that they didn’t request, as there is the clear worry about this falling into the wrong hands.

Given that this order is coming out amidst the longest government shutdown in US history, this shows how seriously the US government is taking the Iranian threat.

Earlier this month, cyber security firm FireEye explained that a global DNS hijacking campaign targeting dozens of domains run by government, telecommunications, and internet infrastructure providers in the Middle East, North Africa, Europe and North America was traced back to Iran. It is believed the Iranian regime’s hackers were looking for confidential information from Middle East governments.

Source » ncr-iran