[SingCERT] Advisory on Mitigating DNS Records Tampering

Published on 24 Jan 2019

Updated on 23 Oct 2019

Background

On 22 Jan 19, the US Department of Homeland Security - Cybersecurity and Infrastructure Security Agency - published an Emergency Directive 19-01 titled “Mitigate DNS Infrastructure Tampering” [1] in response to a recent series of incidents involving the tampering of Domain Name System (DNS) records belonging to government agencies and civilian entities across the globe [2].


Modus Operandi

The attackers will first attempt to compromise the victim's DNS account (aka Domain Registrant account). Once access is illegally obtained, the attackers will be able to alter existing DNS records like Address (A), Mail Exchanger (MX), or Name Server (NS) as well as obtain valid encryption certificates for the domain names. This could lead to a successful redirection or interception of internet traffic, and may further be exploited for malicious purposes such as:

  • Planting of legitimate URLs or emails in their phishing attacks.
  • Capturing of confidential information like login credentials and account information from end users.

Recommendations

To prevent your DNS account and records from being compromised, SingCERT advises operators of DNS infrastructure to adopt the following:

  • Use a strong password (i.e. use a long and random password/passphrase which contains a mixture of uppercase and lowercase letters, numbers and/or symbols).
  • Enable Multi-Factor Authentication for your DNS account, or on accounts that can make modifications to DNS records.
  • Perform regular checks on your DNS records to verify that they resolve to the correct IP addresses or hosts.
  • Always practise good cybersecurity hygiene. Refer to our Be Safe Online guide for tips on how to defend your business against cyber-attacks [3].

References