Security News > 2023 > December > Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets
A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers.
While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof - short for DHCP DNS Spoof.
Organizations can create DNS record using a DHCP feature called DHCP DNS Dynamic Updates.
"Whenever a client is given an IP address by the DHCP server, the latter can contact the DNS server and update the client's DNS record," Akamai's Ori David explained.
DHCP DNS Dynamic Updates does not require any authentication by the DHCP client, and Microsoft DHCP servers enable DHCP DNS Dynamic Updates by default.
In addition to creating non-existent DNS records, unauthenticated attackers can also use the DHCP server to overwrite existing data, including DNS records inside the ADI zone in instances where the DHCP server is installed on a domain controller, which David says is the case in 57 percent of the networks Akamai monitors.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/12/07/attacks_abuse_microsoft_dhcp/
Related news
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft issues 117 patches – some for flaws already under attack (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Cybercriminals hijack DNS to build stealth attack networks (source)