https://krebsonsecurity.com/2024/08/local-networks-go-global-when-domain-names-collide
A major security vulnerability has been discovered that exposes the credentials of countless organizations worldwide. The issue stems from a “namespace collision” where internal domain names used by companies clash with publicly available ones on the internet.
Here’s how it works: Many organizations built their internal networks using domain names in top-level domains (TLDs) that didn’t exist at the time, such as .llc or .cloud. These domains are now freely available for anyone to register.
For instance, a company using “company.llc” for their internal Active Directory (Microsoft’s authentication system) might have assumed it was secure since the .llc TLD wasn’t available back then. However, with the introduction of new TLDs, anyone who registers “company.llc” can potentially intercept or even redirect employee login credentials.
Researcher Maps the Problem:
Philippe Caturegli, a security consultant, has been investigating the scope of this issue. He scanned the internet for self-signed security certificates referencing domains in TLDs attractive to businesses. This revealed thousands of potentially vulnerable domains across various TLDs like .ad, .inc, and .cloud.
Real-World Example:
Caturegli purchased the domain “memrtcc.ad” after discovering it was being used by the Memphis Police Department for internal authentication. This allowed him to intercept a flood of login attempts containing usernames and hashed passwords from police laptops.
Why is this a Problem?
- Widely Used Protocols: Technologies like Active Directory and Web Proxy Auto-Discovery Protocol (WPAD) were designed for closed, trusted network environments. They are not secure when used with publicly accessible domain names.
- Difficult to Fix: Rebuilding Active Directory around a new domain is complex and disruptive, making organizations hesitant to address the issue.
The Fallout:
- Credential Theft: Cybercriminals could use namespace collisions to steal login credentials for large-scale attacks, including ransomware.
- Unpatched Vulnerability: This issue has been known for years, but many organizations haven’t prioritized fixing it.
Recommendations:
- Use Reserved Domains: Domain administrators should use “.local” for internal networks as it’s not routable on the public internet.
- Be Vigilant: Companies need to be aware of potential namespace collisions and take steps to mitigate them.
- Consider Alternatives: Explore more secure authentication methods that don’t rely on vulnerable domain names.
This widespread vulnerability highlights the importance of using secure protocols and staying vigilant in today’s ever-evolving cyber threat landscape. Organizations must prioritize addressing this issue to protect their sensitive data and employee credentials.