The Domain Name System (DNS) is something most of us use every day, whether we think about it or not. It is hugely convenient for converting human readable addresses into the addresses that computers actually use to communicate
with each other. Sometimes this convenience can have unintended side effects
though, such as hundreds of thousands of computers constantly attempting to
send potentially sensitive information to an unintended location. In an attempt
to help secure computers worldwide Microsoft recently purchased the domain
name ‘corp.com’ for an undisclosed sum (likely north of a million dollars) from a
private party.
Why would they or you care about this nondescript domain name? The reason
stems back to the Windows 2000 days and poorly configured Active Directory
servers.
Active Directory is a service commonly utilized in corporate networks
which among other things handles authentication and shared computing resources. This is the service that allows you to map network drives and printers
easily on a primarily Windows network. In order to map those services DNS is
utilized so that users don’t have to remember a bunch of IP addresses. The issue is that old versions of Active Directory defaulted to ‘corp’ as the root name,
causing collisions anywhere outside of the specific corporate network it was
setup on.
If the computer tried to look up the fileserver address for example, it would ask
the Active Directory service for the address using the name ‘fileserver\corp’. On
the original network the Active Directory server would know about the ‘corp
configuration’ and return the correct address. But if the user was on a different
network, such as at a hotel or home, they would likely get back a generic DNS
response for the ‘corp.com’ domain name. The computer would then try to
access this resource as normal, potentially sending authentication tokens or
other details to the computer that ‘corp.com’ was pointing to.
Microsoft started working on this problem in 2009 when it issued updates designed to mitigate the problem. They also issued updates in 2015 designed to
further mitigate the issue. It turns out that a lot of computers simply never updated, as information never stopped flowing to ‘corp.com’. Microsoft has also
recommended not using the default ‘corp’ setting in Active Directory for as long
as they have known about the issue. Now at least with the domain in the hands
of Microsoft they can monitor the incoming traffic and perhaps find out a way
to stop it all together.
Sources:
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/
