Threat Bulletin: Vulnerable Vendor DNS

Protecting Online Ecosystems: Supply Chain Attacks

As of the time of writing, based on observables of external, public-facing online assets, Cyberpion has identified multiple registered domains that are vulnerable due to their relationship with a vendor. The vendor is no longer controlling all the IP addresses associated with their DNS Name Server(s). If control of these IP addresses fall into the wrong hands, a threat actor would be able to hijack any services, mail servers, and applications that rely on this DNS server.

As part of our ethical disclosure program, Cyberpion is attempting to notify the vendor and organizations where we have detected this issue.

The Vulnerability

The hijacking of a vendor’s DNS server allows threat actors to fully control the domains of all the vendor’s customers. Controlling this foundational element of online communications can lead to malicious abuse of services and applications, as well as the interception and origination of critical email communications.

Threat Bulletin: Vulnerable Vendor DNS

Protecting Online Ecosystems: Supply Chain Attacks

As of the time of writing, based on observables of external, public-facing online assets, Cyberpion has identified multiple registered domains that are vulnerable due to their relationship with a vendor. The vendor is no longer controlling all the IP addresses associated with their DNS Name Server(s). If control of these IP addresses fall into the wrong hands, a threat actor would be able to hijack any services, mail servers, and applications that rely on this DNS server.

As part of our ethical disclosure program, Cyberpion is attempting to notify the vendor and organizations where we have detected this issue.

The Vulnerability

The hijacking of a vendor’s DNS server allows threat actors to fully control the domains of all the vendor’s customers. Controlling this foundational element of online communications can lead to malicious abuse of services and applications, as well as the interception and origination of critical email communications.

One Vendor to the financial sector provides services to multiple enterprises that require the creation & management of domains on the customer’s behalf.

Several Enterprise customers of this single vendor have lost control of a portion of their critical assets.

DNS tells the world about the organization’s assets, including IP addresses and mail servers, and define its trust and settings. Almost every online communication starts with a DNS query, to get the identity or the IP address of the other side.

DNS Servers (nameservers) are used in hierarchical way. When registering a domain, the owner of the domain chooses the nameservers that will be responsible for the domain. It is possible to manage a subdomain and its own subdomains in different nameservers by specifying different nameserver for the  subdomain (zone delegation).

As a fundamental building block, controlling the DNS server allows full control of the domain. By specifying MX record, it is possible to send and read emails. By changing A record, it is possible to takeover applications and services. It is also possible to issue valid certificates and prevent others from doing so by abusing DNS-based protection mechanisms (CAA records). By controlling the DNS or the domain, hackers also take ownership on the domain in the context of external solutions, e.g., Google Search.

Removing / Mitigating the Vulnerability

Cyberpion has applied its Active Protection capability to prevent abuse of this vulnerability for our customer. This capability is currently protecting all affected domain as well.

We recommend that affected organizations contact the affected domain(s) registrar to either change the name server in the registration records or remove the domain altogether.

The following video provides an brief explanation of steps to take to in order to mitigate this vulnerability within your own online ecosystem.

Let Us
Show You.

What Do You Really Know About The
Security Posture Of Your Digital Ecosystem?

See the risks you’re exposed to with a vulnerability assessment.