Researchers discovered a new category of DNS vulnerabilities hitting major DNS-as-a-Service (DNSaaS) providers, which may enable attackers to get access to sensitive data of company networks.
DNSaaS providers (also referred to as managed DNS providers) rent DNS to other businesses who don’t want to maintain and protect yet additional network resources on their own.
These DNS vulnerabilities, as disclosed by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak at the Black Hat security conference, grant threat actors nation-state intelligence harvesting powers with simple domain registration.
As per the description, they simply created a domain and utilized it to hijack a DNSaaS provider’s nameserver (in this instance, Amazon Route 53), permitting them to eavesdrop on dynamic DNS traffic streaming from Route 53 users’ networks.
The Wiz researchers stated, “We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google,”
“The dynamic DNS traffic we ‘wiretapped’ came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies.”
Employee/computer identities and locations and extremely sensitive data about organizations’ infrastructure, such as Internet-exposed network equipment, were among the data they acquired this way.
In one instance, the researchers used network data from 40,000 corporate endpoints to trace the office locations of one of the world’s major services companies.
The information gathered in this manner would make it much simpler for threat actors to compromise an organization’s network since it would offer them a bird’s eye perspective of what’s going on within corporations and governments and provide them with “nation-state level surveillance capacity.”
The researchers haven’t found any indication that the DNS flaw they identified has ever been exploited in the open, but they do warn that anybody with the expertise of the vulnerabilities and the abilities to exploit it might have gathered data undiscovered for over a decade.
“The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable,” they added at Black Hat.
Patched by some, likely to affect others:
Although two significant DNS providers (Google and Amazon) have already patched these DNS vulnerabilities, others are still likely prone, potentially exposing millions of devices to attacks.
Moreover, it is unclear who is responsible for fixing this serious DNS flaw. Microsoft has previously informed Wiz that this is not a vulnerability since it could alter the dynamic DNS mechanism that permits Windows endpoints to leak internal network traffic to rogue DNS servers.
Microsoft explained, this flaw as “a known misconfiguration that occurs when an organization works with external DNS resolvers.”
To minimize DNS conflicts and network difficulties, Redmond recommends utilizing distinct DNS names and zones for internal and external hosts and provides extensive guidance on how to correctly handle DNS dynamic updates in Windows.
Maintained DNS providers can mitigate nameserver hijacking by adhering to the RFC’s “reserved names” specification and checking and confirming domain ownership and validity before enabling their customers to register them.
Companies renting DNS servers can also modify the default Start-of-Authority (SOA) record to stop internal network traffic from leaking via dynamic DNS updates.