Windows security problem in South Africa

Several South African organisations using Windows domain controllers have made a critical mistake that allows potential attackers to intercept network traffic that was meant to be internal.

The problem occurs when network administrators use Microsoft Active Directory and an Internet domain name they do not own for their internal domain.

This gives rise to a namespace collision — where domain names intended to be used exclusively on an internal company network overlap with domains that can resolve on the open Internet.

A typical example is when a Windows domain was configured long ago using a domain that previously could not route over the public Internet.

For example, a company may have configured its Windows domain with the name “company.tech” many years ago.

However, when the .tech generic top-level domain (gTLD) launched in 2015, it suddenly became possible to register company.tech and intercept an organisation’s internal network traffic.

This is possible because of the way Microsoft handles domain name resolution on networks that use Active Directory.

Active Directory is a feature specific to Windows environments. In organisations running Windows Server, everything that relates to identity management is grouped under Active Directory.

Computers joined to a Windows domain can “leak” internal traffic because of a feature called Domain Name System (DNS) devolution, which the operating system uses to locate services on the network.

This allows clients to find servers and other resources without specifying their full names every time.

Using the previous example, if a user wanted to find a media server, they could simply type \\media in the Windows Explorer address bar instead of media.company.tech.

However, this convenience comes with a drawback — namespace collisions.

If an attacker were to register a domain out from under a company, they could use intercepted traffic to map out the organisation’s network, including lists of valid users, servers, and mapped drives.

This information is useful to a malicious actor who might wish to infiltrate a network, whether to steal data, execute a ransomware attack, or install some other malware.

Philippe Caturegli, founder of the security consultancy Seralys, recently contacted MyBroadband after a major South African company stopped responding to requests to help resolve this vulnerability on their network.

Krebs on Security has reported that Caturegli is one of the researchers trying to map the extent of the namespace collision problem.

He has been scanning a variety of TLDs for clues that organisations might be using unregistered domains for their internal network.

Popular choices include .ad, .cloud, .email, .global, .group, .inc, .llc, .ltd, .ms, .name, .network, .systems, .tech, and .zone.

It is noteworthy that most of these TLDs were only introduced in the 2010s. Administrators who used these TLDs for their internal domains may have done so precisely because they were not routable many years ago.

However, .ad is the country code TLD (ccTLD) for Andorra, while .ms is the ccTLD for Montserrat. Both of these have been in use since the early days of the World Wide Web.

The .ad TLD is popular because it is the acronym commonly used for Active Directory, while .ms is the abbreviation for Microsoft.

South African impact

Caturegli followed one of the trails of clues to Woodlands Dairy in South Africa, a major corporation that produces milk products under the First Choice brand.

When he discovered that they were using an unregistered domain name for their internal network, Caturegli quickly did a defensive registration to ensure it didn’t fall into the hands of an attacker.

Because the domain was considered “premium”, it cost around $75 (R1,300) to register.

He contacted Woodlands Dairy in April and initially received an affirmative response indicating that they were attending to the issue.

However, after that, he was met with silence. Caturegli followed up after 2–3 weeks and then again after several months had passed.

Since domain registrations are only valid for a year, Caturegli became anxious that Woodlands Dairy would become unprotected if he didn’t foot the bill for a renewal.

Although much cheaper than the initial registration fee, such costs add up when dealing with many vulnerable domains.

MyBroadband contacted Woodlands Dairy, and although it declined to comment, it quickly arranged for Caturegli to transfer the domain.

It also agreed to pay $100 (R1,750) to cover his costs for registering the domain.

Although the domain is now under Woodlands Dairy’s control, MyBroadband has elected not to reveal it out of an abundance of caution.

Caturegli also explained that Woodlands Dairy was not the only South African organisation he had found to be vulnerable.

MyBroadband has contacted these companies to inform them about the issue, as the domains they are using internally have not yet been registered.