While trying to escape the Las Vegas heat during Black Hat last month, watchTowr Labs researchers decided to poke around for weaknesses in the WHOIS protocol. They claim to have found a way to undermine certificate authorities, which the world trusts to keep the internet safe by verifying the identity of websites.

The WHOIS database is used to find out who is the registered owner of an internet domain.

While enjoying hotel air conditioning, the watchTowr team discovered the WHOIS server for [.]mobi, the top-level domain (TLD) for websites optimized for mobile viewing, had migrated from whois[.]dotmobiregistry[.]net to whois[.]nic[.]mobi.

So they did what any good threat researchers would do. They spent $20 to buy the expired domain, according to watchTowr CEO and founder Benjamin Harris, who spoke with The Register about the team's discovery and its implications ahead of research published today.

"The underlying challenge is that people are effectively treating infrastructure as temporary, but with very, very permanent effects on what it gives access to, what it authorizes, where it's trusted, etc, etc, which is giving us some sleepless nights," Harris said.

Millions of systems - including cybersecurity firms and mail servers used by governments, militaries, and universities - were still querying the expired domain, meaning a nation-state group from Russia or China could have purchased the domain, set up their own WHOIS server, and then used it to respond to anyone querying it.

Of course, this didn't fall into nefarious hands; it ended up with watchTowr.

On August 30, 2023, the researchers spun up a WHOIS server and pointed it to whois[.]dotmobiregistry[.]net to identify who was using the legacy domain.

In deploying the new WHOIS server, the team crafted a response to anyone that hadn't updated their client to use the new [.]mobi address, and this response included ASCII art - obviously. In this case it's the company's logo, which looks like a castle watch tower. It also included fake WHOIS details indicating watchTowr as the owner for every queried entity.

Less than a week later, on September 4, watchTowr identified more than 135,000 unique systems speaking to the server and more than 2.5 million queries.

These included private companies, Group-IB, VirusTotal, and other security firms and tools among them, as well as mail servers for countless government, military, and university entities.

Just the [.]gov addresses alone belonged to America, Argentina, Brazil, Pakistan, India, Bangladesh, Indonesia, Bhutan, Philippines, Israel, Ethiopia, and Ukraine, we're told. 

These queries also included several well-known domain registrars like domain[.]com, godaddy[.] and who[.]is, among others, plus certificate authorities (CAs) responsible for issuing TLS/SSL certificates for domains like google[.]mobi and microsoft[.]mobi. The CAs, we're told, were also using watchTowr's WHOIS server to identify who owns the domain.

For microsoft[.]mobi, as an example, the researchers found that GlobalSign would parse responses provided by its server and present whois[@]watchtowr[.]com as an authoritative email address.

"We're all very, very aware of how much certificate authorities have been targeted in the last ten years by nation states," Harris said. "So our ability to then start issuing things like certificates for microsoft[.]mobi and google[.]mobi falls into the playing space of nation states who want to use this capability to intercept internet traffic at a country scale, all the way through to targeting individual users to snoop on communications."

Taking this even one step further - which Harris is quick to point out, watchTowr did not - this could be abused to co-sign malware as Microsoft, thus enabling malicious code to bypass existing endpoint and other security control products.

"What genuinely scares us, outside of the intercept of communications, snooping, etc, is the fact that we know these clients have materially trivial, exploitable vulnerabilities inside them," he added.

Some of these are detailed in watchTowr's paper, and there's even one from 2015 that allows RCE from any malicious server.

"It's publicly documented, and this stuff is ridiculously easy to achieve," Harris said, noting that if his team had slightly fewer scruples, "we would have loved to have found out how many of those systems are queries of the literally hundreds of thousands that were truly exploitable  to known vulnerabilities."

He said he suspects it would be "a significant portion."

In terms of how to fix the bigger issue here, there's not an easy answer, according to Harris. First, there's the problem of expiring domains and throwaway infrastructure on the internet, but there's also gaping holes in TLS/SSL certificate authorities, which will be the subject of future research.

The trust placed in internet protocols and encryption processes is "misplaced," according to the security shop. 

"From our perspective those impacts are pretty serious," Harris said. "I don't think this is what we expect core integrity to look like on the internet." ®

https://www.theregister.com//2024/09/11/watchtowr_black_hat_whois/