image of breaking badness
Breaking Badness
Breaking Badness

174. Pick Your DNS Cache Poison

Coming up this week on Breaking Badness: Industrial Control Systems of a Down, DNS Cache Poisoning the Well, and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

Industrial Control Systems of a Down

  • A recent cyber attack on the Municipal Water Authority of Aliquippa has international implications
  • We can only speculate why Aliquippa, PA was targeted – the actor group claiming responsibility for this event hasn’t said anything about why they chose this particular water authority versus all the other water or other industrial or automation targets among utilities, manufacturing, energy, etc.
  • The only clue they gave had less to do with the location or the fact that it was a water utility specifically, and more to do with the fact that the PLC, or programmable logic controller, in question, was made in Israel. But – and we’ll get to this later – Aliquippa wasn’t actually the only target
  • The equipment they use is manufactured by Unitronics, which is based in Israel, but in the grand scheme of things, not a ton of equipment for industrial control systems is manufactured there
    • When you look at the major manufacturers of automation equipment, you see names like Schneider Electric, Honeywell, Siemens, ABB, Yokogawa (and we could go on)…none of those is in Israel
    • If we had to guess, our guess would be that they did some scanning looking specifically for Unitronics PLCs or HMIs (human-machine interfaces) with Shodan or something like that, and then decided which target they liked best out of what was returned.
  • The threat group involved is the Cyber Av3ngers – an Iranian hacking group
    • We were not aware of this group prior to a few days ago and we didn’t find much on their historical exploits in prepping for this episode
    • Of course, the Iranian Government Islamic Revolutionary Guard Corps, or IRGC, has been one of the major players from a state-sponsored hacking perspective for a number of years
    • So this is, as CISA put it, just one “persona” of that group. Certainly I think it’s probable that a lot of the individuals that are claiming to be Cyber Av3ngers have been involved in a lot of different stuff over time
  • The Cyber Av3ngers are targeting critical infrastructure in poorer communities with fewer resources to defend
    • Not necessarily “defend” in the sense of defending against a potential kinetic attack 
    • Fortunately there are a lot of resources out there that are going to come, to one extent or another, to the aid of these utilities, from CISA to WaterISAC to possibly even Tim’s old friends over at Dragos, which has a cool program that they call Neighborhood Keeper that is specifically designed to help the smaller operators that might not have the level of resourcing that they’d ideally have in today’s environment
  • In this instance, the water authority was able to take action quickly and no customers were impacted
    • However we are already seeing more of this
    • CISA says there are already victims in multiple states, and there’s no reason to believe this is just going to go away

DNS Cache Poisoning the Well

  • Timo Longin, in collaboration with the SEC Consult Vulnerability Lab, discovered an exotic DNS Cache poisoning vulnerability that could have manipulated the DNS name resolution for an entire country
  • To begin, DNS cache poisoning is synonymous with The Kaminsky Method
    • Named after Dan Kaminsky, Internet Researcher in the Internet Hall of Fame
    • Realized you could flood a recursive name server with lookups for subdomains and then tell that resolver that the root lives elsewhere 
    • Able to do that by exploiting randomness in how DNS was implemented back in the day 
    • We could probably bring a bunch of people from DomainTools on to talk about this in detail 
    • This methodology in tricking a recursive server into giving the wrong answer has been thought about for a number of years – it’s used to attack web apps and their reliance on sending password resets to email addresses
    • Now we’ve come to what they call “TRAP, RESET, Poison” which is a methodology for reducing the randomness on what the recursive resolver would use to cache into itself 
    • It only works with carrier-grade matting servers that’s built to handle a lot of stuff 
    • There are certain vulnerable resolvers that could reserve a lot of ports for randomness, ruining the cache and forcing those resolvers to take certain answers as authoritative when people ask a specific question in DNS
  • This builds on previous research from Timo
    • In 2021 he looked at how to take over user accounts via DNS cache poisoning
    • Then in 2022 he looked at taking over infrastructure with DNS cache poisoning 
    • 2023 is the year of looking at compromising the DNS name resolution of an entire country
    • They’ve come at this a few different ways like manipulating the path between resolvers 
    • If you want to make your own answers in DNS, here’s how you could do that, but it will take a lot of effort 
  • Does this research further prove it’s always DNS?
    • Yes 
    • We get little reminders of this constantly and we’re super reliant on DNS for all kinds of things 
    • Is cache king?
      • It can be depending on what kind of cache you’re talking about

This Week’s Hoodie/Goodie Scale

Industrial Control Systems of a Down

[Taylor]: 3.27/10 Hoodies
[Tim]: 6/10 Hoodies

DNS Cache Poisoning the Well

[Taylor]: 4.12/10 Hoodies
[Tim]: 5/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!