Researchers find vulnerabilities impacting DNSaaS providers
Cybersecurity researchers identified a new category of vulnerabilities responsible for impacting major DNS-as-a-Service (DNSaaS) providers. Successful exploitation would enable the attacker to exfiltrate critical information from networks of corporations.
Specialists from Wiz, Shir Tamari and Ami Luttwak, stated that a simple loophole allowed them to interrupt a part of the DNS traffic going through managed DNS providers. They presented the attributes at the Black Hat USA 2021 security conference stating that they “wiretapped” the network traffic of as many as 15,000 organizations, which include Fortune 500 companies and government entities, along with a huge number of devices. They state it to be containing computer names, employee ids and locations, and complete details about organizations’ web domains which involve entry points exposed to the internet.
They also said that they have no information regarding the loophole being exploited. They further added that the traffic that leaked to them is a clear roadway for attackers to conduct an attack. What is more threatening is that it gives anyone a complete insight into the happenings that take place in companies and governments. So, all in all, they deem it to have nation-state level spying capability.
The process of exploitation is based on the fact that registering a domain on Amazon’s Route53 DNS service, where the name is the same as the DNS name server, provides the translation of domain names and hostnames in (IP) addresses. This leads to a case where the isolation between the tenants break, and valuable information can easily be accessed.
The researchers from Wiz claim that they are unaware if this issue is still an active threat vector. The major DNS providers Amazon and Google have fixed it, but there are others that might be vulnerable up till now, resulting in millions of devices still being at a threat. So the research team has also devised a tool for companies to test if their internal DDNS updates are being leaked to any attackers.