Any DNS provider could be vulnerable to new attack

Wiz.io has uncovered a new class of DNS vulnerabilities affecting multiple DNS-as-a-service (DNSaaS) providers that have been successfully exploited on three major cloud providers.

The company’s head of research, Shir Tamari, and co-founder and CTO Ami Luttwak presented details of the nameserver register hijacking vulnerability at the Black Hat Summit.

According to the researchers, successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers’ corporate networks.

Exposed information includes internal and external IP addresses, computer names and sometimes Windows New Technology LAN Manager (NTLM) and Kerberos tickets.

Out of the six DNS providers examined by the researchers, three were vulnerable to nameserver registration hijacking. But any cloud provider, domain registrar and website host who provides DNSaaS could be vulnerable.

“The number of organisations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received DNS Updated from 992,597 Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies,” Wiz.io said in a threat briefing. This included multiple hits from NSW, Victoria, South Australia and Queensland.

“In some organisations, there were more than 20,000 endpoints that actively leaked their information out of the organisation. Exploiting the weakness is very easy. A single attacker with a single cloud account can get information on thousands of organisations in one step.”

Potential mitigations include modifying an organisation’s default DNS Start of Authority record, which stores important information about a domain or zone such as the email address of the administrator as well as how long a server should wait between refreshes.

Image credit: ©stock.adobe.com/au/Denys Rudyi