Security researchers have discovered a new class of DNS vulnerabilities affecting a major DNS Service (DNSaaS) provider that allows attackers to gain access to confidential information on corporate networks.
DNSaaS providers (also known as managed DNS providers) provide DNS rental services to other organizations that do not want to independently manage and secure their other network assets. As revealed at the Black Hat security conference, according to Wiz researchers Shir Tamari and Ami Luttwak at cloud security firm, these DNS flaws provide threat actors with the ability to gather national intelligence in a simple domain registration.
From domain name registration to brute force eavesdropping of traffic:
As they described, the exploitation process is very simple. You registered a domain and used it to hijack your DNSaaS provider’s name servers (in this case Amazon Route 53), enabling eavesdropping. Dynamic DNS traffic streaming from Route53 customer’s network.
“We’ve found a simple loophole that allows us to intercept some of the world’s dynamic DNS traffic through managed DNS providers like Amazon and Google,” Wiz researchers said.
Eavesdropping dynamic DNS traffic on was from over 15,000 organizations, including Fortune 500 companies 45 US government agencies 85 international government agencies.” from very sensitive details of an organization’s infrastructure, including network devices exposed to the Internet. For researchers used network traffic received from 40,000 corporate endpoints to map the location of one of the world’s largest service companies’ offices.
The information gathered in this way provides a “bird’s-eye view of what happens within businesses and governments” and “national-level information,” making it easier for threat actors to compromise an organization’s network. You can do it. Intelligence research found no evidence that the DNS vulnerabilities they discovered had previously been exploited in the wild, but as they explain, knowledge of the problem and the technology to exploit it One person said, “We have collected data that has not been detected for more than 10 years.” At Black Hat “The impact is the bar. In the registration of the three name servers of the six major DNSaaS providers we investigated. It was vulnerable. ” All cloud providers, domain registrars and website hosts that offer DNSaaS are vulnerable.
Fixed by some and annoying other users What makes the situation of worse two major DNS providers (Google and Amazon) have already fixed such DNS bugs However, other providers are still vulnerable and expose millions of devices to attack.
Moreover, it’s not clear who has to fix important DNS bugs. Windows endpoints are on the internal network. A dynamic DNS algorithm could be tuned to allow traffic to be leaked to a malicious DNS server, and Microsoft has already said Wiz this is not a vulnerability.
As Microsoft explained, this flaw is “a known misconfiguration that occurs when an organization uses an external DNS resolver.”
Redmond advises internal and external hosts to use different DNS names and regions to avoid DNS conflicts and network issues, and details on how to properly configure DNS dynamic updates on Windows. Provides a manual about.
The managed DNS provider correctly passes the RFC “Reserved Name” specification, confirms ownership, confirms the domain and issues name server hijacking before allowing customers to register. Can be resolved. Companies that rent DNS servers can also modify the Start of Authority (SOA) record to block internal network traffic that is leaking through dynamic DNS updates.
