<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Route53 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/route53/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/route53/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Route 53 Resolver Query Log Configuration Deleted</title><link>https://feed.craftedsignal.io/briefs/2024-05-route53-resolver-deletion/</link><pubDate>Tue, 14 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-route53-resolver-deletion/</guid><description>Detection of the deletion of an Amazon Route 53 Resolver Query Log Configuration, potentially stopping DNS query and response logging for associated VPCs, which can be used by adversaries to evade detection and suppress forensic evidence.</description><content:encoded><![CDATA[<p>Amazon Route 53 Resolver query logs offer crucial insights into DNS activity across VPCs, encompassing lookups from EC2 instances, containers, and Lambda functions. The deletion of a query log configuration immediately halts DNS query and response logging for the associated VPC, creating a monitoring gap. This activity is often associated with defense evasion, where attackers attempt to remove logging to obscure their actions. This detection identifies successful invocations of the <code>DeleteResolverQueryLogConfig</code> API call within AWS CloudTrail logs. The scope of impact can range from individual VPCs to entire AWS environments, depending on the breadth of the deleted configuration. Defenders should prioritize investigation to determine whether the deletion was authorized and to identify potential malicious activity that may have been obscured.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account with sufficient privileges.</li>
<li>The attacker uses compromised credentials or an IAM role to interact with the AWS Management Console, CLI, or SDK.</li>
<li>The attacker identifies a Route 53 Resolver Query Log Configuration that is actively logging DNS queries for one or more VPCs.</li>
<li>The attacker invokes the <code>DeleteResolverQueryLogConfig</code> API call, specifying the ID of the target query log configuration.</li>
<li>AWS CloudTrail logs the <code>DeleteResolverQueryLogConfig</code> event with a successful outcome.</li>
<li>DNS query and response logging immediately ceases for the VPCs associated with the deleted configuration.</li>
<li>The attacker performs malicious activities, such as DNS tunneling or command and control communication, without being logged.</li>
<li>The attacker achieves their final objective, such as data exfiltration or system compromise, without detection via DNS logs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to a significant reduction in DNS visibility across affected VPCs. Depending on the scope, this can impact a few resources or an entire AWS environment. The immediate consequence is the cessation of DNS query logging, which can obscure ongoing malicious activity, such as command-and-control communication, data exfiltration attempts, or reconnaissance efforts. The lack of DNS data hinders incident response and forensic investigations, making it difficult to identify the scope and impact of the attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS Route 53 Resolver Query Log Configuration Deleted</code> to your SIEM and tune for your environment.</li>
<li>Review IAM permissions and restrict the <code>route53resolver:DeleteResolverQueryLogConfig</code> action to a minimal set of privileged roles.</li>
<li>Enable AWS Config rules to detect and alert on missing or deleted Route 53 Resolver Query Log Configurations.</li>
<li>Investigate any deletion of Resolver Query Log Configurations to determine if it was authorized and corresponds to expected operational changes.</li>
<li>Monitor <code>aws.cloudtrail.user_identity.arn</code> for any unusual IAM roles or user accounts performing the deletion action as identified in the Sigma rule.</li>
<li>Re-create the deleted Resolver Query Log Configuration and re-associate it with the affected VPCs to restore DNS visibility immediately.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>route53</category><category>defense_evasion</category></item><item><title>AWS Route 53 Domain Transfer Lock Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer-lock-disabled/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer-lock-disabled/</guid><description>The disabling of the transfer lock on an AWS Route 53 domain is detected, potentially indicating unauthorized domain transfer, takeover, or service disruption by an adversary gaining domain-management permissions.</description><content:encoded><![CDATA[<p>The disabling of a domain transfer lock within AWS Route 53 is a critical event that can signal malicious activity. The transfer lock is a security feature that prevents unauthorized transfer of a domain to another registrar or AWS account. An attacker who compromises an AWS account with sufficient permissions may disable this lock as a prerequisite for hijacking the domain, potentially leading to service disruption, data exfiltration, or brand damage. This activity is particularly concerning because domains underpin many critical services, including websites, email, and authentication mechanisms. The alert specifically triggers on the <code>DisableDomainTransferLock</code> event within AWS CloudTrail logs, providing visibility into this specific action. The targeted scope includes any AWS Route 53 domains managed by the organization.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or an IAM role with excessive privileges (T1078, T1098).</li>
<li><strong>Privilege Escalation (if needed):</strong> The attacker escalates privileges within the AWS environment to gain the necessary permissions to manage Route 53 domains (T1068).</li>
<li><strong>Discovery:</strong> The attacker enumerates the Route 53 domains associated with the compromised AWS account (T1082).</li>
<li><strong>Disable Domain Transfer Lock:</strong> The attacker disables the domain transfer lock for a target domain by calling the <code>DisableDomainTransferLock</code> API (T1584.001).</li>
<li><strong>Modify Contact Information:</strong> The attacker changes the contact information associated with the domain to gain control over authorization emails (T1586).</li>
<li><strong>Initiate Domain Transfer:</strong> The attacker initiates a transfer of the domain to a registrar or AWS account under their control (T1584.001).</li>
<li><strong>DNS Manipulation:</strong> After the transfer, the attacker modifies DNS records to redirect traffic to malicious servers, enabling phishing attacks or data theft (T1584.001).</li>
<li><strong>Impact:</strong> The attacker disrupts services, steals sensitive information, or conducts further attacks leveraging the hijacked domain.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful domain hijacking can have severe consequences, including website defacement, email interception, and redirection of user traffic to malicious sites. Depending on the criticality of the domain, this could lead to significant financial losses, reputational damage, and legal liabilities. Organizations in all sectors are vulnerable, especially those heavily reliant on online services. The impact is amplified if the hijacked domain is used for authentication or other security-sensitive functions. Without proper detection and response, a domain hijacking can persist for an extended period, causing ongoing harm.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect instances of <code>DisableDomainTransferLock</code> events in AWS CloudTrail logs (logsource: aws.cloudtrail, event.action: DisableDomainTransferLock).</li>
<li>Immediately investigate any detected instances of disabled domain transfer locks, focusing on the user identity (<code>aws.cloudtrail.user_identity.arn</code>) and request parameters (<code>aws.cloudtrail.request_parameters</code>).</li>
<li>Enforce multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to manage Route 53 domains.</li>
<li>Implement AWS Organizations service control policies (SCPs) to restrict domain-level actions to designated accounts, as mentioned in the overview.</li>
<li>Review and restrict domain-management permissions to the minimum set of authorized administrators as per the guide.</li>
<li>Monitor for modifications to contact details, attempted transfers, DNS record changes, or updates to hosted zones following lock disablement.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>route53</category><category>domain-hijacking</category><category>persistence</category></item><item><title>AWS Route 53 Private Hosted Zone Associated With Unauthorized VPC</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-route53-vpc-association/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-route53-vpc-association/</guid><description>An adversary with sufficient permissions may associate unauthorized VPCs to intercept, observe, or reroute internal traffic, establish persistence, or expand their visibility within an AWS environment by associating a Route 53 private hosted zone with a new Virtual Private Cloud (VPC).</description><content:encoded><![CDATA[<p>Attackers with sufficient AWS IAM permissions can associate a Route 53 private hosted zone with a Virtual Private Cloud (VPC) to expand the scope of internal DNS resolution, potentially intercepting, observing, or rerouting internal traffic. This activity allows adversaries to establish persistence or expand their visibility within an AWS environment. This association is achieved through the <code>AssociateVPCWithHostedZone</code> event. Defenders should monitor for unauthorized associations to prevent attackers from manipulating internal name resolution. The Elastic detection rule was last updated on April 10, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS account, either through compromised credentials or exploiting a misconfigured IAM role, achieving initial access (TA0001).</li>
<li>The attacker enumerates existing Route 53 hosted zones and associated VPCs to identify potential targets for manipulation.</li>
<li>The attacker identifies a private hosted zone containing sensitive internal service records or privileged DNS information.</li>
<li>The attacker creates or compromises a VPC within the AWS environment or cross-account.</li>
<li>The attacker uses the <code>AssociateVPCWithHostedZone</code> API call to associate the attacker-controlled VPC with the targeted private hosted zone.</li>
<li>The attacker modifies DNS records within the associated hosted zone to redirect traffic to attacker-controlled resources.</li>
<li>The attacker intercepts internal traffic, observes service discovery processes, or redirects traffic to malicious services (TA0009).</li>
<li>The attacker maintains persistent access by manipulating internal name resolution (TA0003).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to intercept internal traffic, perform reconnaissance, and potentially gain access to sensitive data. The number of victims depends on the scope of the compromised hosted zone and the sensitivity of the data exposed. Targeted sectors could include any organization using AWS Route 53 for internal DNS resolution. If the attack succeeds, internal applications and services may become unavailable or compromised, leading to data breaches and service disruptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;AWS Route 53 Private Hosted Zone Associated With a VPC&quot; Sigma rule to your SIEM and tune for your environment to detect unauthorized VPC associations.</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>access_key_id</code> to identify the actor initiating the association, as mentioned in the investigation steps.</li>
<li>Limit <code>route53:AssociateVPCWithHostedZone</code> permissions to specific administrative roles and require MFA for privileged accounts.</li>
<li>Monitor AWS CloudTrail logs for <code>AssociateVPCWithHostedZone</code> events to identify suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>route53</category><category>persistence</category></item><item><title>AWS Route 53 Domain Transferred to Another Account</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/</guid><description>An AWS Route 53 domain was transferred to another AWS account, potentially leading to unauthorized control over DNS records and traffic redirection for malicious purposes, such as phishing or establishing persistence.</description><content:encoded><![CDATA[<p>This threat brief addresses the unauthorized transfer of an AWS Route 53 domain to another AWS account. Route 53 is a scalable DNS web service, and control over a domain allows an attacker to modify DNS records, reroute traffic, and request certificates. The adversary could gain control by compromising an IAM user or leveraging long-lived credentials. Such a transfer can lead to persistence, traffic redirection, phishing attacks, or the staging of infrastructure for more extensive malicious operations. This activity is detected via CloudTrail logs when the <code>TransferDomainToAnotherAwsAccount</code> event is successfully invoked.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account through compromised credentials or IAM role exploitation.</li>
<li>The attacker identifies a target domain within the Route 53 service.</li>
<li>The attacker may disable the domain transfer lock using <code>DisableDomainTransferLock</code>.</li>
<li>The attacker initiates a domain transfer to an AWS account under their control using the <code>TransferDomainToAnotherAwsAccount</code> API call.</li>
<li>The transfer is successful, granting the attacker administrative control over the domain's DNS records.</li>
<li>The attacker modifies DNS records to redirect traffic to malicious servers they control.</li>
<li>The attacker sets up phishing sites or redirects legitimate traffic to a command-and-control infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful Route 53 domain transfer enables an attacker to fully manage the domain's DNS resources, potentially leading to traffic redirection, service outages, or domain hijacking for phishing or command-and-control. While the exact number of victims and sectors targeted is unknown, unauthorized domain transfers can severely impact any organization relying on AWS for DNS services. This could disrupt service availability, compromise sensitive data through phishing, or enable persistent access to internal networks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS Route 53 Domain Transferred to Another Account</code> to detect successful <code>TransferDomainToAnotherAwsAccount</code> events in AWS CloudTrail logs.</li>
<li>Monitor AWS CloudTrail logs for <code>DisableDomainTransferLock</code> events followed by <code>TransferDomainToAnotherAwsAccount</code> as it indicates a possible domain transfer preparation.</li>
<li>Restrict domain transfer permissions to a minimal set of roles using IAM Conditions such as <code>aws:PrincipalArn</code> and <code>aws:MultiFactorAuthPresent</code> as recommended in the <a href="https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/">AWS Knowledge Center – Security Best Practices</a>.</li>
<li>Implement change-management tracking for domain ownership modifications, correlating with approved internal requests as noted in the overview.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>route53</category><category>domain-transfer</category><category>persistence</category><category>resource-development</category></item></channel></rss>