Sensato-TIB: DNS Attack Against Critical Infrastructure Sectors
This is not meant as an conclusive briefing, but rather as a cautionary update related to these attacks.
CRITICAL DETAILS AND INTELLIGENCE
Sensato has become aware of a series of attacks which are directed against DNS infrastructure. This Threat Intelligence Briefing (TIB) provides an overview of these attacks and possible countermeasures that you may wish to consider implementing.
The motivation of this attack is still unknown, but early analysis indicates that these attacks are being conducted by Iranian actors (specifically government backed or associated). Although there have been on-going DNS attacks against critical infrastructure since 2010, this new series of attacks are occurring at a scale previously unseen. The exact means used by attackers to compromise the DNS infrastructure is currently unknown.
Once the attackers compromise DNS, they can redirect all DNS traffic to their servers and inspect/manipulate the captured traffic before it is forwarded to the victim’s systems. This attack also allows the attacker to examine encrypted data thereby bypassing common encryption methods without the victim becoming aware of the invalidation of the encryption.
ITEMS TO CONSIDER
This attack has gained momentum in the past weeks. Currently the attack is targeting critical infrastructure (specifically government agencies). CISA/DHS has issued an emergency directive advising government agencies to implement precautions to protect against this attack. Sensato believes these measures should be implemented by all those in or serving a critical infrastructure sector.
THINGS TO DO
1. Audit DNS Records – Review your DNS records to assure that they resolve to their intended location. It is recommended that this practice occur on a weekly basis for the next 30-days and then re-evaluate current threat intelligence to determine a proper go-forward frequency of audits.
2. Change DNS Passwords – Assure all DNS servers and services are using strong passwords and that they are changed immediately. Going forward DNS passwords should be changed in accordance with your organization’s password change policy.
3. Enable Multi-Factor Authentication – Implement MFA for all DNS services and servers as soon as possible.
4. Report Suspicious DNS Behavior – If you encounter suspicious DNS behavior, please report it to CISA/DHS and Sensato.
THINGS TO KNOW
How prevalent is the threat?
The scale of this attack has escalated in the past 48 hours and has successfully been executed against ISP, Telecommunications and Government agencies across North America, Africa and Middle East, as well as Europe.
What is the real risk?
All critical infrastructure sectors are at risk and could be targeted by this attack. There is also a risk that the TTP associated with this attack will become well known and employed widely.
What if you become a victim?
1. You may wish to consider activation of an air-gap protocol or block DNS based traffic.
2. Activate IR Team
3. Institute Forensic Analysis.
4. Notify FBI, DHS, FDA and Sensato immediately.
What is the impact to humans and operations?
The ability for the attacker to manipulate data and operate outside the organization’s network is cause for concern. This attack can be executed silently for long periods of time without the defender having an awareness of the compromise.
Where can you get further details or assistance?
The Sensato-CTOC can provide further details as they become available. Please contact your Sensato primary point of contact if you require any assistance or have questions. You can also reach out to Sensato at firstname.lastname@example.org.