Security News
Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control. From Kaminsky Attack to SAD DNS. DNS cache poisoning, also called DNS spoofing, is a technique in which corrupt data is introduced into a DNS resolver's cache, so that DNS queries return an incorrect response for a trusted domain and users are directed to malicious websites.
DNS attacks are nothing new, and they tend to fall further down the list of threat concerns. DNS attacks appear to be on a gradual upward trajectory.
Users worldwide are reporting that they are unable to access Facebook, Instagram, and WhatsApp, instead seeing errors that the sites can't be reached. When attempting to open any of the three sites, they are given DNS PROBE FINISHED NXDOMAIN errors and advised to check if there is a typo in the domain entered in the address bar.
To prevent devices being used as attack vectors, the first step to IoT protection, when connected onto the network, must start with DNS: using Domain Name System infrastructures and DNS security capabilities to protect data and ensure IoT devices are only allowed access to relevant services. Whilst IoT devices will always have security vulnerabilities, by incorporating a secure approach which makes use of DNS technology, businesses and service providers can be confident they are best protecting their data and access to their IT infrastructure.
"We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google. Essentially, we 'wiretapped' the internal network traffic of 15,000 organizations and millions of devices," Wiz wrote in a technical breakdown of the bug. Luttwak calls what he found a "Loophole" within the process used to handle the now obsolete dynamic DNS within modern DNS server configurations.
"We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said. The exploitation process hinges on registering a domain on Amazon's Route53 DNS service with the same name as the DNS name server - which provides the translation of domain names and hostnames into their corresponding Internet Protocol addresses - resulting in a scenario that effectively breaks the isolation between tenants, thus allowing valuable information to be accessed.
"We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said. The exploitation process hinges on registering a domain on Amazon's Route53 DNS service with the same name as the DNS name server - which provides the translation of domain names and hostnames into their corresponding Internet Protocol addresses - resulting in a scenario that effectively breaks the isolation between tenants, thus allowing valuable information to be accessed.
This undocumented spying option was also available at Google Cloud DNS and at least one other DNS-as-a-service provider. In a presentation earlier this week at the Black Hat USA 2021 security conference in Las Vegas, Nevada, Shir Tamari and Ami Luttwak from security firm Wiz, described how they found a DNS name server hijacking flaw that allowed them to spy on the dynamic DNS traffic of other customers.
A new domain name system attack method that involves registering a domain with a specific name can be leveraged for what researchers described as "Nation-state level spying." The attack method was identified by researchers at cloud infrastructure security company Wiz while conducting an analysis of Amazon Route 53, a cloud DNS web service offered to AWS users.
Security researchers found a new class of DNS vulnerabilities impacting major DNS-as-a-Service providers that could allow attackers to access sensitive information from corporate networks. "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," the Wiz researchers said.