Juha Saarinen: US takes urgent action after internet attacks

Tech blogger for nzherald.co.nz.·NZ Herald·

29 Jan, 2019 04:30 PM3 mins to read

Iran is believed to be behind the attacks on internet infrastructure. Photo / 123RF

COMMENT:

Don't panic, but the United States Government, shutdown notwithstanding, issued its first Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive, following a string of serious and successful attacks on key internet systems over the past two years.

Iran is believed to be behind the campaign. It first popped up on security vendors' radars in January 2017 and the attackers were after the digital keys to Government, corporate and other organisations' domain name system (DNS) servers.

Security vendor FireEye published a detailed report on the attacks hitting scores of Government agencies, telcos and internet infrastructure providers across Europe, the US and Middle East/North Africa, "on an almost unprecedented scale, with a high degree of success".

To understand what happened and just how serious the attacks are, consider that DNS is a critical part of the internet infrastructure. Our devices connect to it all the time, and we rarely notice how DNS operates in the background, until something goes wrong with it.

DNS is a distributed database, a naming system that maps information to domain names (let's not do the "phone book for the internet" anymore please).

For instance, nzherald.co.nz is mapped to one or more internet protocol addresses which in turn are assigned to one or more servers. Your browser asks DNS servers where to find the NZ Herald website and is given an IP address (and sometimes other data) where it is located.

Gaining control over DNS servers for a domain means attackers can do an amazing amount of evil. Attackers can redirect website visitors to a server that they control, and dish up whatever they like to them from bogus content to malware, to login-stealing pages.

The traffic redirection meant that emails, for instance, could be inspected and manipulated before being sent on to the correct location, and it would be hard for normal users to spot this.

Alarmingly, CISA and security vendors noted that the DNS attackers could obtain valid encryption certificates for organisations' domain names. With these installed, the attackers could decrypt data silently, rendering an important line of defence against traffic interception and tampering useless.

CISA said "multiple executive branch agency domains" were affected, meaning the attackers struck solid gold and may have been able to siphon off sensitive data for a couple of years.

How did the attackers manage to get themselves into such a position of power?

Security vendors believe that they obtained login credentials for accounts that enabled attackers to change DNS settings through phishing and compromising a registrar.

Add to that, a lack of multi-factor authentication (MFA), lack of monitoring of changes to DNS records and the mind boggles as to how such critical internet infrastructure was left so poorly protected.

The CISA Emergency Directive is now ordering some ambulance at the bottom of the cliff measures to fix up the mess for Government agencies. These include keeping an eye on DNS records, adding MFA and getting rid of bogus certificates for domains.

Local organisations with an internet presence should take heed of this, and harden up their systems too because the attacks are simple, effective and very likely to continue.