Tech It's a jungle out there. Check your DNS servers and records now. - GoFuckYourself.com

AdultKing · 01-24-2019, 02:36 AM

As if we don't all have enough to deal with, for those of you with lots of domains, sites and servers this is going to be a bit of a nightmare to check and remediate if compromised.

Early in January this year some security researchers started noticing a spate of DNS hijacks and tampering at unprecedented scale. Then about a week or so ago FireEye and Cisco released advisories on the attacks.

Now the US Government has issued an Emergency Directive to departments to fix this issue. However this doesn't just affect governments it affects everything.

https://www.fireeye.com/blog/threat-...-at-scale.html

Here's the FireEye recommendations for mitigation.

1. Implement multi-factor authentication on your domain’s administration portal.
2. Validate A and NS record changes.
3. Search for SSL certificates related to your domain and revoke any malicious certificates.
4. Validate the source IPs in OWA/Exchange logs.
5. Conduct an internal investigation to assess if attackers gained access to your environment.

Links:

FireEye: https://www.fireeye.com/blog/threat-...-at-scale.html

US Govt: https://cyber.dhs.gov/ed/19-01/

Nation State actors started the malicious activity but now it's out in the open the activity can be replicated by competitors, other bad actors or governments.

Check your domains, DNS and certificates, especially if you've been using LetsEncrypt and free Comodo certificates.

01-24-2019, 02:36 AM	#1
AdultKing Raise Your Weapon Industry Role: Join Date: Jun 2003 Location: Outback Australia Posts: 15,601	It's a jungle out there. Check your DNS servers and records now. As if we don't all have enough to deal with, for those of you with lots of domains, sites and servers this is going to be a bit of a nightmare to check and remediate if compromised. Early in January this year some security researchers started noticing a spate of DNS hijacks and tampering at unprecedented scale. Then about a week or so ago FireEye and Cisco released advisories on the attacks. Now the US Government has issued an Emergency Directive to departments to fix this issue. However this doesn't just affect governments it affects everything. https://www.fireeye.com/blog/threat-...-at-scale.html Here's the FireEye recommendations for mitigation. 1. Implement multi-factor authentication on your domain’s administration portal. 2. Validate A and NS record changes. 3. Search for SSL certificates related to your domain and revoke any malicious certificates. 4. Validate the source IPs in OWA/Exchange logs. 5. Conduct an internal investigation to assess if attackers gained access to your environment. Links: FireEye: https://www.fireeye.com/blog/threat-...-at-scale.html US Govt: https://cyber.dhs.gov/ed/19-01/ Nation State actors started the malicious activity but now it's out in the open the activity can be replicated by competitors, other bad actors or governments. Check your domains, DNS and certificates, especially if you've been using LetsEncrypt and free Comodo certificates.