Cyber security researchers have revealed a new class of vulnerabilities affecting leading DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks.
“We found a simple flaw that allowed us to intercept some of the global dynamic DNS traffic passing through managed DNS providers like Amazon and Google,” said researchers Shir Tamari and Ami Luttwak of the infrastructure security firm. Wiz.
Calling it a “bottomless pit of valuable information,” the Information Treasure contains internal and external IP addresses, computer names, employee names and locations, as well as details about the web domains of the. organizations. The results were presented at the Black Hat USA 2021 security conference last week.
“The traffic leaked to us from internal network traffic provides malicious actors with all the information they would need to launch a successful attack,” the researchers added. “More than that, it gives anyone the big picture of what’s going on in business and government. We liken it to a nation-state-level spy capability – and getting it was as easy as registering a domain.
The operation process relies on registering a domain on Amazon’s Route53 DNS service (or Google Cloud DNS) with the same name as the DNS name server – which provides the translation (i.e. say the resolution) of domain names and host names in their corresponding Internet Protocol (IP). addresses – resulting in a scenario that effectively breaks the isolation between tenants, thereby allowing access to valuable information.
In other words, by creating a new domain on the Route53 platform inside the AWS Name Server with the same nickname and pointing the hosted zone to their internal network, dynamic DNS traffic from endpoints of the Route53 clients is hacked and sent directly to the unauthorized server of the same name, thus creating an easy route to corporate network mapping.
“The dynamic DNS traffic that we wiretapped came from more than 15,000 organizations, including Fortune 500 companies, 45 US government agencies, and 85 international government agencies,” the researchers said. “The data included a wealth of valuable information such as internal and external IP addresses, computer names, employee names and office locations.”
While Amazon and Google have since fixed the issues, Wiz’s research team has also released a tool for companies to test if their internal DDNS updates are leaked to DNS providers or malicious actors.