Researchers reported a surprising revelation in their latest findings, stating that over 135,000 unique systems have been identified communicating with them. As of September 4, 2024, there were a staggering 2.5 million queries made to these systems. The researchers highlighted the diverse range of entities making queries, including various mail servers for government and military domains utilizing the WHOIS server to inquire about the domains they receive emails from. Additionally, several cybersecurity tools and companies were still relying on this WHOIS server for authoritative information, including VirusTotal, URLSCAN, and Group-IB.
Notably, domain registrars like GoDaddy and Name.com, alongside online WHOIS and SEO tools, as well as numerous universities, were also found to be querying the old server address. Furthermore, governments from countries such as the US, Ukraine, Israel, India, Pakistan, Bangladesh, Indonesia, Bhutan, the Philippines, and Ethiopia were among those whose systems interacted with the now rogue WHOIS server.
In response to these concerning findings, the researchers collaborated with the UK’s National Cyber Security Centre and the Shadowserver Foundation to take action. They successfully took control of the dotmobiregistry.net domain and configured it to function as a proxy, providing correct WHOIS responses from whois.nic.mobi. This strategic move aimed to address the issues arising from the continued use of the outdated WHOIS server by various entities.
The researchers emphasized the critical importance of addressing this issue promptly, given the potential security risks associated with relying on an obsolete and compromised WHOIS server. By working alongside cybersecurity experts and organizations, they took proactive steps to mitigate the impact of this alarming discovery. The cooperation between the researchers, the UK’s National Cyber Security Centre, and the Shadowserver Foundation demonstrates a coordinated effort to safeguard against potential cyber threats stemming from the misuse of outdated WHOIS servers.
Moving forward, it is essential for organizations and individuals to stay vigilant and ensure they are using updated and secure systems to protect sensitive information. The incident serves as a reminder of the evolving nature of cybersecurity threats and the imperative need for constant monitoring and proactive measures to safeguard against potential risks. Collaboration between cybersecurity professionals and researchers proves to be a vital tool in addressing and responding to such security concerns effectively.