Understanding Latest DHCP DNS Vulnerabilities and How DHCP Exploits work in Active Directory

A new research focuses on a newly discovered set of attacks against Active Directory (AD) using Microsoft DHCP servers, which could lead to a full AD takeover. This vulnerability is significant because it involves the exploitation of DHCP DNS Dynamic Updates, a process integral to many network configurations. The researchers at Akamai have delved into the technical aspects of these attacks, providing insights into how they can be executed and the potential risks they pose to organizations relying on Active Directory for their network infrastructure.

The vulnerability discovered by Akamai researchers revolves around exploiting DHCP DNS Dynamic Updates in Microsoft Active Directory environments. Here’s a breakdown of how this vulnerability works and its implications:

DHCP DNS Dynamic Updates:

Dynamic Host Configuration Protocol (DHCP) is commonly used in networks to automatically assign IP addresses to devices. In many configurations, DHCP servers are also responsible for dynamically updating DNS records. This is where the vulnerability lies. The exploit targets the process by which DHCP servers update DNS records. In a typical scenario, when a device connects to a network, the DHCP server assigns it an IP address and updates the DNS records accordingly. However, if an attacker can manipulate this update process, they can potentially redirect network traffic or impersonate other devices on the network. Active Directory (AD) is heavily reliant on DNS for its functioning. It uses DNS to locate domain controllers, manage services, and direct user and computer authentication processes. By spoofing DNS records, an attacker could redirect AD processes to malicious servers, intercept sensitive information, or even gain unauthorized access to network resources.The primary risk of this vulnerability is that it allows attackers to perform man-in-the-middle attacks or impersonate legitimate network services. This can lead to data breaches, unauthorized access to sensitive information, and potentially full control over the AD domain. Detecting such attacks can be challenging because the malicious activities may appear as legitimate DNS updates. This makes it crucial for network administrators to monitor DNS records and DHCP logs closely for any unusual activities.

The Akamai blog post outlines several attack techniques exploiting DHCP DNS Dynamic Updates in Active Directory environments:

DHCP DNS Spoofing: Attackers create non-existent DNS records using DHCP DNS Dynamic Updates, redirecting network traffic to their machine. DHCP DNS Spoofing involves an attacker leveraging the DHCP server to create false DNS records. Imagine a scenario where a computer asks the network for the address of a specific server (like asking for directions to a store). Normally, the network’s DHCP server gives the correct address. However, in this attack, the hacker tricks the DHCP server into giving out the hacker’s address instead. So when the computer tries to connect to that server, it actually connects to the hacker, unknowingly handing over sensitive information.
Overwriting Existing Records: A technique where attackers attempt to overwrite existing DNS records via DHCP updates. Overwriting Existing Records involves an attacker changing an already existing DNS record to point to their own system. For example, let’s say a company’s computer regularly contacts a server named “companyserver.com” for updates. In this attack, the hacker modifies the DNS record for “companyserver.com” so that it now points to a server controlled by the hacker. When the company’s computer next tries to contact “companyserver.com”, it is unknowingly connected to the hacker’s server, potentially compromising sensitive information.
Managed Record Overwrite: Specifically targets DNS records created by DHCP servers, exploiting their ownership settings. Managed Record Overwrite involves an attacker exploiting the fact that a DHCP server can create DNS records on behalf of clients. For example, if a non-Windows device joins a network, it might ask the DHCP server to create a DNS record for it. The DHCP server, being the owner of this record, can update it. An attacker, by manipulating the DHCP server, can overwrite this record with their own details, redirecting traffic intended for the original device to a system controlled by the attacker.
DHCP Self-Overwrite: Involves the DHCP server overwriting its own DNS records, redirecting traffic meant for the server to the attacker. DHCP Self-Overwrite is an attack where the hacker manipulates a DHCP server to overwrite its own DNS record. For example, suppose a DHCP server is named “networkserver.com” and has a DNS record pointing to its IP address. In a self-overwrite attack, the hacker tricks the DHCP server into updating its DNS record so that “networkserver.com” now points to the hacker’s IP address. This redirection could allow the hacker to intercept or manipulate traffic intended for the DHCP server.
DHCP DC Arbitrary Overwrite: If a DHCP server is installed on a Domain Controller, attackers can potentially overwrite any DNS A record in the Active Directory Integrated DNS zone. DHCP DC Arbitrary Overwrite occurs when a DHCP server is installed on a Domain Controller (DC) and the attacker manipulates it to overwrite any DNS record in the Active Directory Integrated DNS zone. For instance, if “companywebsite.com” is a DNS record in the zone, the attacker can make the DHCP server change this record to point to the attacker’s IP. This means anyone trying to access “companywebsite.com” within the network would be redirected to the attacker’s server.
Bypassing Mitigations: Discusses ways to bypass Name Protection and other security measures implemented to prevent unauthorized DNS record modifications. Bypassing Mitigations in this context refers to circumventing security measures put in place to prevent unauthorized DNS updates. For example, an attacker might exploit weaknesses in the Name Protection feature of DHCP servers. Name Protection is designed to prevent unauthorized DNS record updates, but if an attacker can figure out the client’s unique identifier (like a MAC address), they can impersonate the client and change the DNS record. This could allow the attacker to redirect network traffic intended for a legitimate device to their own malicious server.

8 cyber security measures that must be implemented for securing IPv6 networks

Mitigations

Mitigations for DHCP DNS attacks include disabling DHCP DNS Dynamic Updates if not needed, using weak user credentials for DNS updates, enabling Name Protection, and avoiding the use of the DNSUpdateProxy group. However, attackers can bypass these mitigations, such as exploiting the lack of authentication in DHCP DNS Dynamic Updates or finding ways to impersonate legitimate network clients. Akamai recommends implementing mitigation strategies until a patch is available from Microsoft. However you can do the following meantime.

Regularly Update and Patch Systems: Ensure that all systems, especially those related to DHCP and DNS services, are regularly updated and patched. This helps in fixing known vulnerabilities that could be exploited.
Monitor Network Traffic: Implement robust monitoring of network traffic, particularly focusing on DHCP and DNS communications. Unusual patterns or anomalies could indicate attempts at exploitation.
Restrict Dynamic DNS Updates: Configure systems to restrict dynamic DNS updates. This can be done by allowing only authorized DHCP servers to update DNS records.
Implement DNSSEC: Deploy DNS Security Extensions (DNSSEC) to protect against DNS spoofing. DNSSEC adds an additional layer of security by validating the authenticity of the DNS data.
Enhanced Access Controls: Strengthen access controls to critical network infrastructure. Limiting access to DHCP and DNS configurations to only those who require it can reduce the risk of internal threats.
Regular Audits and Compliance Checks: Conduct regular audits of network configurations and compliance checks to ensure that security measures are up-to-date and effective.
Employee Training and Awareness: Educate staff about the risks associated with DNS spoofing and the importance of following security protocols.
Incident Response Plan: Have a well-defined incident response plan in place to quickly address any breaches or exploits that occur.

Mike Stevens

Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.

Understanding Latest DHCP DNS Vulnerabilities and How DHCP Exploits work in Active Directory

DHCP DNS Dynamic Updates:

Mitigations

Critical Vulnerabilities in Cisco ASA & FTD Exposed! Learn How to Exploit CVE-2024-20353 and CVE-2024-20359

Dual Vulnerabilities in Microsoft SharePoint Server: Essential Steps to Mitigate Vulnerabilities

Exploiting the High-Risk Vulnerabilities in Secure Boot of Most Linux Devices on the Planet

Hackers’ New Target is containerized environments through vulnerabilities in runC

Hacking Android, Linux, macOS, iOS, Windows Devices via Bluetooth using a single vulnerability

Healthcare Hack Horror: Cyberattacks Leave French Hospitals in Chaos for $10 Million

Hacking the Unhackable: The Story of How CISA Was Breached

The Cloudflare Hack: A Hacker, 5000 Credentials, and Operation Code Red

Hijacked Data:LockBit Ransomware Gang Targets Aerospace Giant Boeing

Timeless Targets: After Casio, Seiko Group hacked again by Ransomware gang

Unlocked Doors: The Inside Story of Casio’s Global Data Breach!

Largest soft drink bottle supplier, recycle and plastic manufacturers hacked by ransomware

Google Gemini Under Fire: Critical Security Vulnerabilities You Need to Know to hack Gemini

Cracking SCCM Wide Open: Pentesting System Center Configuration Manager with Misconfiguration Manager

Hacking Windows 10 and 11 with DLL Search Order Hijacking without administrator rights

Hacking SSH Connections by exploiting SSH Protocol Vulnerabilities: Different Terrapin Attack Vectors

Understanding Latest DHCP DNS Vulnerabilities and How DHCP Exploits work in Active Directory

Hacking Bluetooth via MiTM: The BLUFFS Bluetooth attack to hack into Millions of Devices

6 Steps to File Anonymous SEC Complaints Against Data Breachers & Force Them to Pay Fines or Take Action

Inside the Exploit: How Your ChatGPT’s Uploaded Files Could Be Stolen by Prompt Injection Vulnerability

This Google Calendar technique allows to hack into companies without getting detected

This telegram bot is like ChatGPT for scammers to steal money from victims easily

How easy is to bomb someone mobile phone with thousands of SMS messages?

This new DDoS attack prevention technique has a 99% accuracy rate

How to secure Cisco Firepower Threat Defense (FTD) firewalls ?

How to use AWS SSM agent as backdoor and hack into EC2 instances?

New tool FraudGPT allows scamming and easy hacking of victims using AI

The Dark Side of PDFs: How Opening a Simple PDF Could Unleash a Cybersecurity Nightmare

Largest soft drink bottle supplier, recycle and plastic manufacturers hacked by ransomware

Visited thesaurus.com in search for Synonyms? You have Coinminer malware infection

How to send malware via Teams, even “Safe Attachments” or “Safe Links” can’t protect you

2 Big Cloud hosting companies shutdown by ransomware and lose all customer data