When was the last time you checked DNS configurations for subdomains pointing at services not in use? According to Crowdsource ethical hacker Thomas Chauchefoin, while expired and forgotten subdomains can easily become an entrypoint for an attacker to steal sensitive data and launch phishing campaigns, a robust attack surface management programme in place can keep them at bay.
It’s no secret that with increasing third party services and more subdomains, comes a larger attack surface, therefore a higher risk of potential cyber threats. The basic premise of a subdomain takeover is a host that points to a particular service (e.g. GitHub pages, Heroku, Desk etc) not currently in use, which an adversary can use to serve content on the vulnerable subdomain by setting up an account on the third-party service. As a hacker and a security analyst, Chauchefoin who has dealt with this type of issue, reveals how it can be risky for your business.
How subdomain takeover was discovered
Various techniques for hostile subdomain takeovers were pioneered by ethical hacker Frans Rosén and popularized by Detectify in a blogpost back in 2014. Seven years on and it has continued to build on the technology. However, it remains to be an overlooked and widespread vulnerability. Even companies which claim to prioritise security such as Sony, Slack, Snapchat and Uber have been victims to subdomain takeovers.
Moreover, Microsoft too struggled with managing its thousands of subdomains, many of which were hijacked and used against users, its employees, or for showing spam content. Its subdomains are vulnerable to basic misconfigurations in their respective DNS entries. Chauchefoin adds that these issues remain either unfixed or unknown as subdomain takeovers might not be part of the company’s bug bounty programme. The main reason being, he says, that most companies have poor DNS hygiene which then opens the door to all kinds of abuse that can then can be part of larger and more dangerous attack campaigns on your organization and its stakeholders.
Subdomains – gateway into the inner workings of an organization
Subdomains are not limited to the attack surface an organization has direct control – such as internal domains and apps you build – but also external attackable points. A subdomain takeover can be particularly problematic because subdomains aren’t always closely guarded assets, which means it can go undetected for some time.
If left unmonitored for vulnerabilities and misconfigurations, you can run into the risk of being unaware of what’s happening to your company’s subdomains resulting in a malicious actor taking control. Once attackers have access to the subdomain’s name servers or registrar account credentials, they can get another entity with access to modify delegation records so the subdomains point toward their own nameservers rather than the originals. It’s already too late to recover.
These breaches ultimately lead to data loss, brand reputation damage, and stolen customer data for the enterprise.
Danger Danger: Dangling CNAME records
There are many ways cyber criminals could exploit unmonitored subdomains to steal information or deface sites. Malicious hackers are finding it easier to take over or exploit the vulnerabilities in the third-party assets within the enterprise’s ecosystem to carry out attacks such as malicious code injection, DNS hijacks or abusing the branded assets of an enterprise. In many instances, password managers automatically fill out login forms on subdomains belonging to the main application. As Chauchefoin recalls, “I still remember that the password manager LastPass used to auto-fill passwords even on subdomains, which could be dangerous in the case of targeted attacks.”
A subdomain takeover attack is a type of attack in which an attacker successfully seizes control over the subdomain in a hijacked DNS. When a DNS record points to a resource that isn’t available, the record itself should be removed from your DNS zone. If it hasn’t been deleted, it’s a “dangling DNS” record and creates the possibility for subdomain takeover. An attacker can leverage that subdomain to perform attacks like setting up phishing forms.
How a hacker takes over a subdomain
The most common situation is when a dangling record points to an expired online asset. By creating an account on this platform and claiming this subdomain, the attacker can deploy arbitrary content on it. It could help them to perform further attacks such as having an impact on primary domains pointing to resources on the one that was just taken over. “It’s also common to point to IP ranges like EC2 or OVH, where attackers could try to rent multiple servers and get the same IP as the previously used if they are lucky enough,” Chauchefoin says.
Detailing on the process, Chauchefoin proclaims that a subdomain takeover is rather easy to accomplish. It simply entails creating an account on a platform and claiming the subdomain.
Let’s assume that domain.com – a site owned by you – is the target and has a subdomain helpdesk.domain.com
linked to a Support Ticketing-service. While enumerating all of the subdomains belonging to domain.com, the attacker who stumbles across helpdesk.domain.com, can find out where it belongs by reviewing the subdomain’s DNS records and could potentially take it over if it was abandoned. If an attacker were to take ownership of helpdesk.domain.com
, they could build a convincing clone of an official support website, or even of domain.com. Then, by using spear phishing techniques or waiting for victims to fall in the trap via search engines, they could steal sensitive information from them. It would be practically impossible for users to know that they just arrived on a fake, attacker-controller website as the domain name is legit.
Attackers could then push malware, host static resources under this subdomain or expose services, which could then establish a proxy making helpdesk look like domain.com while intercepting the traffic when anyone visits helpdesk.domain.com
.
Takeover method #1
Chauchefoin points out that when trying to take over a subdomain, the most common workflow for a hacker is to start by extensive “reconnaissance” to discover existing DNS records. “After the reconnaissance phase, hackers will try to look for any anomaly in the DNS records and probe the exposed services to look for errors which indicate that it is a dangling domain,” he says. Hunters often rely on services that were not originally intended for that use. For instance, Certificate Transparency databases – the open framework for monitoring SSL Certificates – contain millions of entries and are a gold mine, he adds. In many cases, attackers may be able to obtain and install a valid TLS certificate for the vulnerable subdomain to serve their phishing site over HTTPS. Other active techniques involve brute-forcing subdomains based on lists of most common values, naming conventions and permutations. This is where the hacker iterates through a wordlist and based on the response can determine whether or not the host is valid.
Takeover method #2
Another way to do it would be to compromise the target’s DNS servers or even the registrar to change the DNS records associated with the targeted domain. While this method is less common, Detectify co-founder and security researcher Fredrik Nordberg Almroth did it with the .cd ccTLD where he claimed the expiring name server for the Democratic Republic of Congo’s top-level domain before it was going to enter into deletion status.
Takeover method #3
Hackers can also execute second-order subdomain takeovers where vulnerable subdomains which do not necessarily belong to the target are used to serve content on the target’s website. This means that a resource gets imported on the target page, for example, via JavaScript and the hacker can claim the subdomain from which the resource is being imported. More on this, soon to follow.
Three ways you can fail if you overlook the risk
An attacker can make use of stale DNS records to own the AWS S3 bucket or point to your subdomain, there is no longer a use by your organization. Therefore, it can be used to target your users, leak their account details via XSS and phish pages hosted on your companies’ domains. In many cases, an attacker can easily steal a victim user’s cookies and credentials via XSS if they are allowed on the subdomain.
In addition to serving malicious content to users, attackers can potentially intercept internal emails, mount clickjacking attacks, hijack users’ sessions by abusing OAuth whitelisting and abuse cross-origin resource sharing (CORS) to harvest sensitive information from authenticated users.
Seemingly a subdomain takeover can be dangerous, Chauchefoin says that a subdomain takeover may pose a relatively minor threat in itself and is generally part of a bigger picture or attack. However, when combined with other seemingly minor security misconfigurations, it may allow an attacker to cause greater damage.
Why Blue Teams need to care
The impact of a subdomain takeover depends on the nature of the third-party service that the vulnerable subdomain points to. The need to keep a track of all subdomains are not limited to companies transitioning to the cloud.
Chauchefoin says that company executives forgetting about created subdomains is increasingly common. Consequently, it is vital for any Blue Team to be able to identify any change or vulnerability on external assets. “An up-to-date map of public-facing services helps in taking accurate decisions when it comes to removing the legacy ones to reduce the overall attack surface,” he continues.
Of course, subdomain takeover is a risk for any company irrespective of the industry, however, Chauchefoin believes that larger enterprises face a bigger risk as they can have thousands of subdomains. For instance, just a year ago The Register reported that subdomains of Chevron, 3M, Warner Brothers, Honeywell, and many other large organizations were hijacked by hackers who redirected visitors to sites featuring porn, malware and online gambling.
Keeping track of your subdomains
Many companies have subdomains pointing to applications hosted by third parties that lack proper security practices. Don’t be one of them. When determining plausible attack scenarios with a misconfigured subdomain – moreso after an attacker controls it – it is crucial to understand how the subdomain interacts with the base name and the target’s core service and how these subdomains are used in applications within your infrastructure.
Detecting that a subdomain takeover is being actively exploited is difficult; you may realize it too late. Once a bad actor claims your subdomain, you might not know in time as it will not show up in a scan. The attacker might even put a cat meme on the page and by then, the damage is already done. Remember the hacker ‘Pro_Mast3r’ who took over Donald Trump’s fundraising website due to a DNS misconfiguration issue? The hacker replaced secure2.donaldjtrump.com with an image of a man wearing a fedora with the message:
“Hacked By Pro_Mast3r ~
Attacker Gov
Nothing Is Impossible
Peace From Iraq.”
(image:A hacker from Iraq, defaced a site previously used by former US President Donald Trump for campaign fundraising)
What can you do?
Given the urgency to tackle the risk of expired or forgotten subdomains, bringing in external attack surface monitoring can be beneficial. It identifies subdomains that have been misconfigured or unauthorized, so you can find and fix them before a subdomain takeover happens. External subdomain monitoring can help you do a subdomain takeover risk analysis and map out your external attack surface by looking at all expired subdomains. Chauchefoin says, “Going forward, EASM tools will become part of the essential toolkit of any Blue Team, as they provide a considerable value for a fraction of the cost of what it would have been to perform it using non-automated means.”
Apart from an external attack surface monitoring programme, other methods involve keeping an inventory of all your subdomains and hosts, and continuously updating it as and when they are created. It’s also important to stay vigilant of the latest known vulnerabilities that exploit DNS as soon as it is released, Chauchefoin advises.
Where Detectify comes in
Chauchefoin explains, “It is hard to keep up with the constant feed of new public vulnerabilities and update vital services in a timely manner. Assuring service continuity is a very costly process, and not all vulnerabilities have the same level of criticality.” As a result, EASM tools can help prioritising this task by notifying of the presence of actually exploitable vulnerabilities on the perimeter.
Furthermore, it is impossible for a single person to stay updated with new vulnerabilities and possible misconfigurations. Integrating a team of hackers in this process allows companies to get actionable proof-of-concepts for virtually every new public research, and even zero-days. Detectify Surface Monitoring, leverages the Crowdsource community of over 350 handpicked ethical hackers, who monitor your subdomain inventory and dispatch alerts as soon as an asset is vulnerable to a potential takeover. It’s community of bug bounty hunters constantly monitor targets for changes and continuously have an eye on every single subdomain that they can find.
See what Detectify will find in your online attack surface with a free 2-week trial. Go hack yourself!