Recent research from Detectify found a 25% increase in vulnerabilities detected in its customers’ subdomain assets in 2021 than in 2020. Additionally, the study found a 100% increase in the median number of vulnerabilities per domain in 2021 than in 2020. Detectify researchers said that the subdomain attack surface continues to grow, and DNS is becoming increasingly common in infrastructure, which means that the threats to subdomains are correspondingly complex and evolving.
RH-ISAC Research
RH-ISAC threat researchers partnered with a security researcher to investigate a number of subdomain takeover spam websites impersonating organizations in the hospitality and travel sectors in the first half of 2022.
In January 2022, our research found a large group of hostnames taken over by a group suspected to be based in Russia beginning in late 2021.
In February 2022, we found a separate group of subdomain takeovers serving phishing pages to Google and leveraging malicious PDF files impersonating various business, education, and mental health documents. The subdomains compromised in the campaign did not appear to have a central theme or concentrated target group.
The process for taking over the subdomains seen in our research is as follows:
- The threat actor discovers an AWS/Azure resource that is no longer up but is still referenced by DNS records
- The threat actor stands up an identical AWS/Azure resource and points DNS records towards their own server
The taken-over subdomains were first noticed because the threat actor was hosting spam sites that were self-referential, with all links leading to the same domain. The actor had obfuscated JavaScript injected from Russian-hosted servers. Images on the page were hosted on various sites across the internet. Most of the images had the same root appearance in the form of a theme or screen and all served sitemaps, hosting 20,000 to 30,000 different pages in multiple languages, including English, German, and Japanese.
The threat actor adapted tactics over time. For instance, the actor switched from using semantic names to randomly generated names to avoid being searchable, and easily identifiable. The actor also altered the site format to make it more difficult to find. After these changes, only 50 to 70 different sites were listed. However, the remaining sites were all hidden via CSS and dynamically loaded.
Impact Analysis
Subdomains are often difficult to track and secure, especially for larger, more complex organizations with multiple imprints or businesses. The tactics, techniques, and procedures (TTPs) used to compromise subdomains continue to evolve, with DNS hijacking via misconfigurations and domain squatting after registrations lapse being the most prevalent methods. DNS hijacking requires some level of technical ability from a threat actor, meaning it has a potentially high impact but a lower likelihood. Domain squatting only requires sufficient funding to register a subdomain, either legitimate or convincing enough to use for phishing or other targeting campaigns, meaning it has a potentially higher impact and likelihood.
Mitigations
In order to counter subdomain takeover attacks, organizations have several key options:
- Implement an attack surface monitoring solution that includes a subdomain monitoring capability
- Conduct an inventory of known subdomains for the organization and create a process for continuous tracking of status and registration information
- Conduct regular checks for potential unknown or fraudulent subdomains as part of regular security monitoring
- Conduct regular checks for DNS configurations to ensure properly secure standards are implemented
In addition to the joint research by RH-ISAC and our partner researcher and the statistics from the Detectify report, RH-ISAC members continue to share intelligence on subdomain compromises on Member Exchange and Slack at a regular pace. Learn more about RH-ISAC membership.