Jump to content
  • Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic

    aum

    • 432 views
    • 2 minutes
     Share


    • 432 views
    • 2 minutes

    Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks.

     

    "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said.

     

    Calling it a "bottomless well of valuable intel," the treasure trove of information contains internal and external IP addresses, computer names, employee names and locations, and details about organizations' web domains. The findings were presented at the Black Hat USA 2021 security conference last week.

     

    "The traffic that leaked to us from internal network traffic provides malicious actors all the intel they would ever need to launch a successful attack," the researchers added. "More than that, it gives anyone a bird's eye view on what's happening inside companies and governments. We liken this to having nation-state level spying capability – and getting it was as easy as registering a domain."

     

    dns.jpg

     

    The exploitation process hinges on registering a domain on Amazon's Route53 DNS service (or Google Cloud DNS) with the same name as the DNS name server — which provides the translation (aka resolution) of domain names and hostnames into their corresponding Internet Protocol (IP) addresses — resulting in a scenario that effectively breaks the isolation between tenants, thus allowing valuable information to be accessed.

     

    In other words, by creating a new domain on the Route53 platform inside AWS name server with the same moniker and pointing the hosted zone to their internal network, it causes the Dynamic DNS traffic from Route53 customers' endpoints to be hijacked and sent directly to the rogue and same-named server, thus creating an easy pathway into mapping corporate networks.

     

    "The dynamic DNS traffic we wiretapped came from over 15,000 organizations, including Fortune 500 companies, 45 U.S.

     

    government agencies, and 85 international government agencies," the researchers said. "The data included a wealth of valuable intel like internal and external IP addresses, computer names, employee names, and office locations."

     

    While Amazon and Google have since patched the issues, the Wiz research team has also released a tool to let companies test if their internal DDNS updates are being leaked to DNS providers or malicious actors.

     

    Source

     

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...