14 DAY TRIAL // A new class of vulnerabilities hitting major DNSaaS (DNS as a Service) can be used by hackers to get access to sensitive information from corporate networks, according to The Hacker News.
Ami Luttwak and Shir Tamari, both of the infrastructure security firm Wiz, announced that they had discovered a simple loophole that allows the interception a portion of dynamic DNS traffic from all Internet traffic that was routed through managed DNS providers such as Google and Amazon. They further explained that exposed traffic provides threat actors with all the information they need to mount a successful attack.
What is disturbing is that this gives anyone the ability to see what is going on inside companies and government organizations. In a way, it is comparable to spying capabilities of a nation state level and it was as easy as registering a domain name to get it.
The researchers said, "The dynamic DNS traffic we wiretapped came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies," adding that "the data included a wealth of valuable intel like internal and external IP addresses, computer names, employee names, and office locations".
Threat actors can simply exploit the flaws to gain access to critical corporate data
Domain registration on Google Cloud DNS or Amazon Route53 that handles the DNS name server (the resolution service), creates a scenario that effectively removes tenant isolation and allows access to valuable information. Therefore, if an organization configures a new domain on the Route53 platform using the AWS name server, in the hosted zone they associate the new domain with the internal network, making the dynamic DNS traffic from all company endpoints accessible to the fraudulent server with the same name.
Luckily, the vulnerabilities have been patched as Wiz Research team developed a tool for identifying DNS leaks. In a nutshell, the utility discovers DNS vulnerabilities that can be exploited to determine whether unauthorized internal DDNS updates were being leaked to DNS providers or malicious actors.