Any DNS provider could be vulnerable to new attack

By Dylan Bushell-Embling
Monday, 09 August, 2021

Any DNS provider could be vulnerable to new attack has uncovered a new class of DNS vulnerabilities affecting multiple DNS-as-a-service (DNSaaS) providers that have been successfully exploited on three major cloud providers.

The company’s head of research, Shir Tamari, and co-founder and CTO Ami Luttwak presented details of the nameserver register hijacking vulnerability at the Black Hat Summit.

According to the researchers, successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers’ corporate networks.

Exposed information includes internal and external IP addresses, computer names and sometimes Windows New Technology LAN Manager (NTLM) and Kerberos tickets.

Out of the six DNS providers examined by the researchers, three were vulnerable to nameserver registration hijacking. But any cloud provider, domain registrar and website host who provides DNSaaS could be vulnerable.

“The number of organisations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received DNS Updated from 992,597 Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies,” said in a threat briefing. This included multiple hits from NSW, Victoria, South Australia and Queensland.

“In some organisations, there were more than 20,000 endpoints that actively leaked their information out of the organisation. Exploiting the weakness is very easy. A single attacker with a single cloud account can get information on thousands of organisations in one step.”

Potential mitigations include modifying an organisation’s default DNS Start of Authority record, which stores important information about a domain or zone such as the email address of the administrator as well as how long a server should wait between refreshes.

Image credit: © Rudyi

Related News

Lack of leadership buy-in biggest obstacle to digital trust: report

A new report from ISACA says that many organisations say that in five years digital trust will be...

Lack of customer confidence affecting security strategies: report

A survey from LogRhythm finds three-quarters of ANZ companies changed their security strategy...

IMT sector was Australia's most targeted in 2023: report

The information, media and technology sector has been the Australian industry most targeted...

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd