That\u2019s because attackers have been launching DNS hijacking attacks that could help them get SSL\/TLS certificates issued for government domains. <\/p>\n\n\n\n
Obviously, that would be disastrous.<\/p>\n\n\n\n
So today we\u2019re going to talk about Iranian hackers, DNS\nhijacking and rogue certificates.<\/p>\n\n\n\n
Let\u2019s hash it out\u2026<\/p><\/span>\n\n\n\n The US Department of Homeland Security is authorized to\nissue emergency directives \u201cin response to a known or reasonably suspected\ninformation security threat, vulnerability, or incident that represents a\nsubstantial threat to the information security of an agency.\u201d<\/p>\n\n\n\n It rarely does so, but yesterday it deemed it necessary and issued Emergency Directive 19-01.<\/a><\/p>\n\n\n\n In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1<\/a><\/sup> involving Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.<\/p><\/blockquote>\n\n\n\n Attackers are rewriting DNS records to point them towards address under their own control, which gives them the ability to MITM<\/a> connections and even get SSL\/TLS certificates issued for compromised domains. When this happens, and an attacker gets their hands on a legitimate certificate, it\u2019s called a rogue certificate<\/a> and it can spell disaster. That gives the attacker the ability to impersonate the site, decrypt its traffic, whatever they want.<\/p>\n\n\n\n Add in the fact that these are federal websites and the risk increases exponentially. Researchers at FireEye have determined with a moderate degree of certainty<\/a> that the hijacking attacks are emanating from Iran. They\u2019ve been occurring in clusters since 2017.<\/p>\n\n\n\n In order to stave off any rogue certificates and protect DNS records, the DHS is mandating four actions be taken over the next ten days:<\/p>\n\n\n\n If the agencies run into any problems they\u2019re supposed to\ncontact the DHS\u2019s Cybersecurity and Infrastructure Security Agency (CISA). <\/p>\n\n\n\n Per the release, CISA will:<\/p>\n\n\n\n Yes, as of last week CISA had about 45% of its workforce furloughed<\/a>, with only \u201cessential\u201d functions covered. Additionally, 45% of the DHS\u2019 operations team, which includes the Office of Intelligence and the Office of Operations Coordination, is furloughed as well.<\/p>\n\n\n\n RELATED<\/strong>: Apparently certificate management isn’t an “essential function.”<\/a><\/em><\/p>\n\n\n\n It\u2019s possible that more of CISA\u2019s personnel has been called\nback to work (unpaid), but I haven\u2019t seen anything official. If I do I\u2019ll\nupdate this post. Otherwise, assume that DHS and CISA are both currently a\nlittle understaffed.<\/p>\n\n\n\n Maybe a little bit, but these attacks would still be occurring even if the US government was not currently shut down. These kinds of attacks between nation states are beginning to occur with startling frequency<\/a>. Russia<\/a>, China<\/a> and the US<\/a> are all engaged in varying degrees of cyber espionage and reconnaissance. And more and more countries are beginning to adopt a more aggressive, offensive-minded approach \u2013 as France announced yesterday<\/a>.<\/p>\n\n\n\n But, make no mistake about it, if ever there were a time to try to hit the US government with a cyber-attack \u2013 it\u2019s right now<\/a>. And if FireEye is right, and it is Iran, there is no lack of potential enmity there as a result of the US\u2019 withdrawal from the nuclear treaty and its subsequent economic sanctions. This is not a commentary on the wisdom of either of those decisions, just a simple statement of fact. <\/p>\n\n\n\n DNS hijacking is what occurs when you manipulate a server\u2019s DNS records to resolve to an address of your choosing. In order to execute this attack, you need to have credentials for, or some other means of accessing a user account with permissions to edit DNS records. So there\u2019s likely another component of this campaign that hasn\u2019t been ferreted out yet, and it likely involves some form of phishing<\/a>.<\/p>\n\n\n\n Once the attacker has access to an account that can change DNS records, they begin to alter address records, mail exchanger records or name server records and replace the original addresses with addresses under the attacker\u2019s control.<\/p>\n\n\n\n This enables [the attacker] to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.<\/p><\/blockquote>\n\n\n\n Finally \u2013 and this is the part that\u2019s most germane to our\narea of focus \u2013 being able to control DNS records on a given server gives the\nattacker the ability to request, and have issued, legitimate SSL\/TLS\ncertificates for any website residing on said server. <\/p>\n\n\n\n This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.<\/p><\/blockquote>\n\n\n\n This is the same thing we saw last year when a DNS\ncache poisoning technique<\/a> was discovered that allowed attackers to obtain\nlegitimate certificates for sites they didn\u2019t control. When this happens it\u2019s\ncalled a rogue certificate<\/p>\n\n\n\n If there is a nuclear-level emergency in the SSL\/TLS world, it would be rogue certificates. We\u2019ve actually gone in-depth on Rogue Certificates<\/a> in the past, but here\u2019s the gyst of it:<\/p>\n\n\n\n Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated. Users then will be redirected to such sites through phishing or \u201dman in the middle\u201d attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.<\/p>Eric Vandenburg, VP of TCDI (Technology Concepts & Design, Inc.)<\/a><\/cite><\/blockquote>\n\n\n\n <\/p>\n\n\n\n Rogue certificates are rare, but still more common than they should be. In the past, rogue certificates have gotten CAs shut down, perhaps unironically it was actually Iran that helped to put an end to the Dutch CA DigiNotar in 2011 after it managed to compromise DigiNotar\u2019s private key with an SQL injection.<\/p>\n\n\n\n The best ways to defend against rogue certificates are:<\/p>\n\n\n\n Hopefully this shutdown ends soon and the US National Cyber Security apparatus can return to full strength. In the meantime other countries are going to keep probing.<\/p>\n\n\n\n As always, leave any comments or questions below\u2026<\/em><\/p>\n\n\n\n \u201cBecause the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization\u2019s domain names\u2026\u201d The US Department of Homeland Security (DHS) issued an emergency…<\/p>\n","protected":false},"author":6,"featured_media":8331,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[8586,9766,3367],"class_list":["post-8329","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-rogue-certificates","tag-shutdown","tag-us-government","post-with-tags"],"views":12697,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/bigstock-Security-Network-Concept-274313497.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/8329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=8329"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/8329\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/8331"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=8329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=8329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=8329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Department](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/DHS-300x300.png\")
<\/figure><\/div>\n\n\n\nAn Emergency Directive from the DHS<\/h2>\n\n\n\n
![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/thumbnail_CISA.jpg\")
<\/figure><\/div>\n\n\n\nWait, isn\u2019t CISA Furloughed because of the Shutdown?<\/h2>\n\n\n\n
![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/bigstock-Capitol-Building-Retro-Ad-Ar-17988470-300x240.jpg\")
<\/figure><\/div>\n\n\n\nDo these attackers feel emboldened because of the shutdown?<\/h2>\n\n\n\n
What is DNS hijacking and why is it dangerous?<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/DNS-Hijacking.png\")
<\/figure><\/div>\n\n\n\nHow dangerous are rogue certificates?<\/h2>\n\n\n\n
![\"Hashed](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\")
<\/figure>\n\n\n\n
\n","protected":false},"excerpt":{"rendered":"