<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Domain-Transfer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/domain-transfer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/domain-transfer/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Route 53 Domain Transferred to Another Account</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/</guid><description>An AWS Route 53 domain was transferred to another AWS account, potentially leading to unauthorized control over DNS records and traffic redirection for malicious purposes, such as phishing or establishing persistence.</description><content:encoded><![CDATA[<p>This threat brief addresses the unauthorized transfer of an AWS Route 53 domain to another AWS account. Route 53 is a scalable DNS web service, and control over a domain allows an attacker to modify DNS records, reroute traffic, and request certificates. The adversary could gain control by compromising an IAM user or leveraging long-lived credentials. Such a transfer can lead to persistence, traffic redirection, phishing attacks, or the staging of infrastructure for more extensive malicious operations. This activity is detected via CloudTrail logs when the <code>TransferDomainToAnotherAwsAccount</code> event is successfully invoked.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account through compromised credentials or IAM role exploitation.</li>
<li>The attacker identifies a target domain within the Route 53 service.</li>
<li>The attacker may disable the domain transfer lock using <code>DisableDomainTransferLock</code>.</li>
<li>The attacker initiates a domain transfer to an AWS account under their control using the <code>TransferDomainToAnotherAwsAccount</code> API call.</li>
<li>The transfer is successful, granting the attacker administrative control over the domain's DNS records.</li>
<li>The attacker modifies DNS records to redirect traffic to malicious servers they control.</li>
<li>The attacker sets up phishing sites or redirects legitimate traffic to a command-and-control infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful Route 53 domain transfer enables an attacker to fully manage the domain's DNS resources, potentially leading to traffic redirection, service outages, or domain hijacking for phishing or command-and-control. While the exact number of victims and sectors targeted is unknown, unauthorized domain transfers can severely impact any organization relying on AWS for DNS services. This could disrupt service availability, compromise sensitive data through phishing, or enable persistent access to internal networks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS Route 53 Domain Transferred to Another Account</code> to detect successful <code>TransferDomainToAnotherAwsAccount</code> events in AWS CloudTrail logs.</li>
<li>Monitor AWS CloudTrail logs for <code>DisableDomainTransferLock</code> events followed by <code>TransferDomainToAnotherAwsAccount</code> as it indicates a possible domain transfer preparation.</li>
<li>Restrict domain transfer permissions to a minimal set of roles using IAM Conditions such as <code>aws:PrincipalArn</code> and <code>aws:MultiFactorAuthPresent</code> as recommended in the <a href="https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/">AWS Knowledge Center – Security Best Practices</a>.</li>
<li>Implement change-management tracking for domain ownership modifications, correlating with approved internal requests as noted in the overview.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>route53</category><category>domain-transfer</category><category>persistence</category><category>resource-development</category></item></channel></rss>