A security researcher from Seralys has discovered a way to spoof the DNS server for the mastercard.com domain used in the infrastructure of the MasterCard payment system. Since June 2020, there has been a typo in the settings of the mastercard.com domain zone — instead of the host "a22-65.akam.net" (Akamai DNS service), the host "a22-65.akam.ne" was indicated in the list of DNS servers servicing the zone. The root zone ".ne" is assigned to the Republic of Niger and the domain "akam.ne" was available for sale.
Thus, for four and a half years, anyone could buy a domain "akam.ne," create the host "a22-65.akam.ne," deploy a DNS server on it, create your own mastercard.com DNS zone, and redirect any mastercard.com subdomain to your server. DNSSEC was not used for mastercard.com. Since the typo was in the name of one of the five DNS servers, a successful attack could have gained control over at least one-fifth of the traffic. This reach could be increased by setting a high TTL (Time To Live) for the fake zone, which would result in longer cache retention for public resolvers, such as those maintained by Cloudflare (1.1.1.1) and Google (8.8.8.8).

In addition to intercepting traffic from existing hosts, it was possible to conduct a less visible attack and use an initially missing subdomain for phishing, for example, by creating a host "redemtion.mastercard.com" and using it in spam instead of the legitimate entry point "redemption.mastercard.com." Among other things, by gaining control of one of the DNS servers serving the mastercard.com domain, it was possible to TLS certificate in services that allow domain ownership verification via the web or DNS, such as Let's Encrypt. Possible attack scenarios also include creating a fake mail server to intercept correspondence from email address name@mastercard.com and intercepting authentication data from employees' computers using Windows.
The researcher who identified the problems bought the domain "akam.ne" for $300 and launched a DNS sniffer on it to assess the traffic volume. Analysis of the received requests showed that the case with MasterCard is not the only one and there are other domain zones in the list of DNS servers for which the host "akam.ne" is indicated instead of "akam.net". Moreover, it was found that from 2015 to 2018, the domain "akam.ne" was registered and, probably, used to carry out attacks. The assumption about attacks was made, since the former owner of "akam.ne" also registered the domain "awsdns-06.ne", which is stylized as the DNS server "awsdns-06.net". The inoperability of one of the DNS servers with a typo in the name can remain unnoticed by administrators for a long time, since fault tolerance is ensured by specifying several DNS servers.
MasterCard initially ignored the report, but after being contacted by journalist Brian Krebs, acknowledged and fixed the bug, stating that the bug did not pose a threat to the infrastructure. The researcher was then forwarded a request from MasterCard to remove the published note about the incident via Bugcrowd, a service that allows you to earn royalties for identifying vulnerabilities.
In response, the researcher stated that although he had an account on Bugcrowd, he had not submitted any requests for rewards, but had directly notified MasterCard of the problem. The note was published to draw attention to the problem after MasterCard was no longer in danger and the domain "akam.ne" belonged to the researcher. As a result, MasterCard not only did not compensate the $300 spent on the domain, but did not even verbally thank the researcher.
As for the claim that the error did not create additional risks, the researcher cited statistics on DNS queries received, which included *.az.mastercard.com domains pointing to working components of MasterCard infrastructure hosted in the Microsoft Azure cloud service. Compromising such components, apparently, posed a critical security threat.

Source: opennet.ru
