Skip to main content

AWS Route 53 domain transfer to an unknown external account

ID:aws_route53_domain_transfer_unknown
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0042:T1583.001

Description

AlphaSOC detected an AWS Route 53 domain transfer to an external account. This action involves moving control of a domain from one AWS account to another, potentially outside of the organization's control. Such transfers can be part of legitimate operations, but they can also indicate unauthorized access or an attempt to hijack domain resources.

Impact

Unauthorized domain transfers can severely compromise an organization's security infrastructure. The transferred domain could be used for phishing campaigns, malware distribution, or intercepting sensitive communications. It can also disrupt business operations and lead to a loss of control over critical infrastructure components associated with the domain.

Severity

SeverityCondition
Informational
Domain transfer to an external account using Route 53
Medium
Domain transfer to an unknown external account using Route 53

Investigation and Remediation

Review AWS CloudTrail logs to verify the legitimacy of the action, identify the user who initiated the transfer, and review recent account activity. If unauthorized, contact AWS Support to attempt to reverse the transfer. Change any associated account credentials and API keys. Check DNS records and SSL certificates associated with the domain. Conduct a broader security assessment to identify additional compromised resources or accounts.

Known False Positives

  • Transfer of domains to a newly created AWS account