AI transforms ‘dangling DNS’ into automated data exfiltration pipeline - Network World

Generative AI is raising the risk of dangling DNS attack vectors, as the orphaned resources are no longer just a phishing nuisance. Credit: Ruslan Khismatov / Shutterstock When a company shuts down a testing environment, AWS bucket, an online app, or a SaaS instance, the DNS entry can sometimes remain active long after the fact, a zombie pointer to a resource that no longer exists. And nature might abhor a vacuum, but hackers love them. In the past, they’d jump on an opportunity to take over the old infrastructure in order to, say, lend credibility to a phishing campaign. “This is not an AI-born vulnerability,” says Constellation Research analyst Chirag Mehta. “It is a long-running cloud hygiene issue.” Today, so-called dangling DNS instances can also lend credibility to a new kind of influence tactic—instead of leveraging users’ trust to get people to perform dangerous actions, they can now leverage the trust of AI agents to perform dangerous actions. “More automation, more integrations, and more agents that browse and act can turn a small DNS oversight into a higher-leverage control point than it used to be,” says Mehta. Akamai Technologies called dangling DNS “the most overlooked attack surface in the AI era,” and explained how it can be turned into an “automated data exfiltration pipeline” in a recent security post. Say, for example, a company has an informative page at analytics.mycompany.com, which points to a bucket on AWS or an Azure app service—analytics.azurewebsites.net, for example. The service is shut down, and all those inbound links would normally just show up as broken links, but an attacker sees the opportunity and creates their own service at analytics.azurewebsites.net. Now all that credible corporate traffic is funneled directly to the attacker. The new hijacked page has the correct URL and might even have the correct content on it. But there are also hidden prompts embedded in the HTML, SVG metadata or other invisible elements—prompts that the AI agent could interpret as legitimate instructions. Now the attacker could potentially have access to everything the agent has access to. Meanwhile, agents are getting smarter. Even if an agent doesn’t have access to a particular corporate resource that the attacker wants, the agent might be able to figure out how to get to it, and the company will be paying for the compute time it takes for the agent to figure it out. “Infrastructure or code that is left operational but not maintained and monitored is a classic attack vector for cyber criminals,” says Steve Winterfeld, advisory CISO at Akamai. As a CISO, he’s continually battling with this kind of cyber debt, he says. “And this issue is quickly climbing to the top of the list to address.” Akamai itself has recently added a new capability to its DNS security suite to meet this specific concern, he adds. How big a potential problem is this? Last year, security research firm Watchtowr found 150 abandoned S3 buckets previously used in commercial and open-source software products, governments, and infrastructure pipelines, registered them, and saw eight million requests over the next two months for things like software updates, pre-compiled binaries, virtual machine images, and JavaScript files. Dangling DNS and subdomain takeovers have been used by attackers for over a decade, says Avinash Rajeev, leader of PwC’s cyber, data and tech risk platform. “It’s not a rare or highly technical edge case.” Security firm Sentinel One alerted its clients of more than 1,250 instances of subdomain takeover risk related to dangling DNS issues last year. Security firm Silent Push reported that a single customer looking for dangling DNS found more than 2,000 exploitable DNS records that required immediate resolution to avoid being used for subdomain takeover. Meanwhile, security researchers are already finding instances of prompt injections attacks in the wild, and OWASP put prompt injection as the top risk in its OWASP Top 10 for LLMs and genAI apps. Just last week, Palo Alto’s Unit42 reported that there are now real-world instances of indirect prompt injections targeting AI agents or other LLM-based systems. Attackers using the dangling DNS route can also use AI themselves, to carry out these attacks at scale, says Forrester analyst James Plouffe. “AI can grind in a way that humans can’t,” he says, “which really reduces the opportunity cost for attackers looking for dangling DNS records to exploit.” And once vulnerable records are found, AI agents can be used to provision this infrastructure at scale, he says. “Now the adversaries are casting a much wider net without a lot of extra effort.” Addressing this problem requires action on two fronts, Plouffe says. First, many service providers who offer DNS features already have tools to identify dangling DNS records and clean them up. “Those features just need to be enabled and operationalized,” Plouffe says. And, on the agentic side, the AI agents need guardrails that can evaluate the semantic intent of prompts and restrict retrieval of web content. Dangling DNS is not a new class of vulnerability, but it is a preventable one, says PwC’s Rajeev. “As digital ecosystems grow, especially with AI, foundational cyber hygiene becomes even more important,” he says. “Small gaps can scale quickly.” Network Security Security Artificial Intelligence