US Gov issues emergency directive after wave of domain hijacking attacks
The US Department of Homeland Security (DHS) has issued an emergency directive tightening DNS security after a recent wave of domain hijacking attacks targeting government websites.
Under the directive, which appeared a week after a US-CERT warning on the same topic, admins looking after US.gov domains have until 5 February to do all of the following or explain why they can’t:
- Verify that all important domains are resolving to the correct IP address and haven’t been tampered with.
- Change passwords on all accounts used to manage domain records.
- Turn on multi-factor authentication to protect admin accounts.
- Monitor Certificates Transparency (CT) logs for newly issued TLS certificates that might have been issued by a malicious actor.
- The warning mentions domain hijacking campaigns publicized by security companies in November 2018 and January 2019, only one of which alluded to targets that might include US government sites. Read more
What is Domain Hijacking?
Wikipedia defines Domain Hijacking
as the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar(s) software systems.
This can be devastating to the original domain name holder, not only financially as they may have either derived commercial income from a Website hosted at the domain or conducted business through that domain’s Email accounts, but also in terms of readership and/or audience for non-profit or artistic Web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a Website is replaced by an identical Website that records private information such as log-in passwords, Spam, or even distribution of malware, causing additional damage to third-parties to the wrongful loss and wrongful gain of the domain.