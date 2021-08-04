



At today’s Black Hat security conference, two security researchers uncovered security issues affecting hosted DNS service providers. It can be exploited to hijack a node on the platform, intercept some of the incoming DNS traffic, and map the customer’s internal network.

Discovered by cloud security firms Wiz’s Shir Tamari and Ami Luttwak, this vulnerability highlights the amount of sensitive information collected by managed DNS platforms and their appeal in terms of cyber spying and intelligence data collection.

How to generate a vulnerability

These companies, also known as DNS-as-a-Service providers, effectively rent DNS servers to corporate entities. Running your own DNS name server is not difficult, but the benefits of using services such as AWS Route53 and Google Cloud Platform allow enterprises to offload management of their DNS server infrastructure to third parties for better uptime and top notch. Is to be able to utilize. safety.

Companies that sign up for a managed DNS provider typically need to onboard their internal domain name to their service provider. This usually means that the company needs to access the backend portal and add company.com and other domains to one of the provider’s name servers (ie ns-1611.awsdns-09.co.uk). Means.

Once this is done, when a company employee connects to an intranet app or internet website, the computer queries the IP address that needs to connect to a third-party DNS server.

The Wiz team discovered that some managed DNS providers did not blacklist their own DNS servers within the backend.

In an interview last week, Wiz researchers could add the managed DNS provider’s name server itself (ie ns-1611.awsdns-09.co.uk) inside the backend and point it to the internal network. I told The Record that it was done.

This allowed the Wiz team to hijack DNS traffic that hits the hijacked managed DNS provider’s server. However, the Wiz team said it did not receive all DNS traffic through that server, but only dynamic DNS updates.

These are special DNS messages that your workstation sends to your DNS server when the IP address or other details in your internal network change.

Image: With

However, the Wiz team was unable to sniff enterprise real-time DNS traffic, but said that dynamic DNS updates could create a map of enterprises using the same managed DNS server and an internal map of those enterprises. Said. network.

Intelligence Gold Mine

This data looked harmless, but it wasn’t.

Tamari and Luttwak said they were able to collect dynamic DNS updates from more than 15,000 organizations, including more than 130 government agencies and many Fortune 500 companies, in the 14 hours tested.

The data also included internal and external IP addresses for each system, computer names, and in some cases employee names.

The two described the data they collected as an intelligence gold mine.

The two researchers told The Record that the data could be used in a variety of ways. It can be used to identify the internal structure of a high-value enterprise, identify a domain controller, and launch a cyber attacker with greater accuracy than the usual spam and prayer approach.

For example, the research team is running corporate systems running NAT-protected IPv4 addresses and IPv6 address systems that are always online and exposed to non-stop direct attacks due to the nature of IPv6. I was able to identify the corporate system that I have.

In addition, the data can be used for purposes other than cybersecurity. Intelligence agencies can use this data to cross-correlate connections between businesses and government agencies to identify government contractors.

In addition, the Wiz team said that after plotting the collected data on a map, it was possible to identify companies operating in sanctioned countries such as Iran and Cote d’Ivoire, which violated OFAC regulations.

Image: Wiz Amazon and Google release updates

The Wiz team said three DNS-as-a-Service providers were found to be vulnerable to this issue. Two of them, Amazon and Google, have released updates, and the third is patching.

In an email this week, Amazon and Google spokespersons told The Record that they were fixing the attack vector discovered by Wiz and blocking the registration of their own domain name within the backend.

Records also asked the two companies if they had investigated past incidents in which they might have exploited this bug to collect data about them. An Amazon spokesperson did not answer this particular question, but Google said “there was no evidence of malicious abuse.” [their] platform. “

In addition, the Wiz team said that about 12 more DNS-as-a-Service providers believe they are likely to be vulnerable to similar attacks.

However, according to the Wiz team, the problem here is not just that the provider has forgotten to blacklist its own DNS server registration within its own backend.

The problem here is why dynamic DNS updates are reaching the Internet in the first place, and why these updates are not limited to the local network only.

Here, researchers have blamed the default option for Microsoft Windows servers to allow this type of DNS traffic to traverse the local network and reach the Internet.

A Microsoft spokeswoman asked for comment and recommended that companies follow the guide below to prevent dynamic DNS updates from reaching the Internet.

Catalin Cimpanu is The Record’s cybersecurity reporter. He previously worked for ZDNet and Bleeping Computer. It has become famous in the industry for its constant investigation into new vulnerabilities, cyberattacks, and law enforcement measures against hackers.

Sources 1/ https://Google.com/ 2/ https://therecord.media/amazon-and-google-patch-major-bug-in-their-dns-as-a-service-platforms/ The mention sources can contact us to remove/changing this article

