When was the last time you checked DNS configurations for subdomains pointing at services not in use? According to Crowdsource ethical hacker Thomas Chauchefoin, while expired and forgotten subdomains can easily become an entry point for an attacker to steal sensitive data and launch phishing campaigns, having the right tool in place can keep them at bay.
It’s no secret that with increasing third-party services and more subdomains, comes a larger attack surface, therefore a higher risk of potential cyber threats. The basic premise of a subdomain takeover is a host that points to a particular service (e.g. GitHub pages, Heroku, Desk, etc) not currently in use, which an adversary can use to serve content on the vulnerable subdomain by setting up an account on the third-party service. As a hacker and a security analyst, Chauchefoin who has dealt with this type of issue, reveals how it can be risky for your business.
How subdomain takeover was discovered
Subdomain takeover was pioneered by ethical hacker Frans Rosén and popularized by Detectify in a blog post back in 2014. Many years on, it has continued to build on the technology. However, it remains an overlooked and widespread vulnerability. Even companies that claim to prioritize security, such as Sony, Slack, Snapchat, and Uber, have been victims of subdomain takeovers.
Moreover, Microsoft, too, struggled with managing its thousands of subdomains, many of which were hijacked and used against users, its employees, or for showing spam content. Its subdomains are vulnerable to basic misconfigurations in their respective DNS entries. Chauchefoin adds that these issues remain either unfixed or unknown as subdomain takeovers might not be part of the company’s bug bounty program. The main reason is, he says, that most companies have poor DNS hygiene, which then opens the door to all kinds of abuse that can then be part of larger and more dangerous attack campaigns on your organization and its stakeholders.
Subdomains – gateway into the inner workings of an organization
Subdomains are not limited to the attack surface an organization has direct control – such as internal domains and apps you build – but also external attackable points. A subdomain takeover can be particularly problematic because subdomains aren’t always closely guarded assets, which means they can go undetected for some time.
If left unmonitored for vulnerabilities and misconfigurations, you can run into the risk of being unaware of what’s happening to your company’s subdomains resulting in a malicious actor taking control. Once attackers have access to the subdomain’s name servers or registrar account credentials, they can get another entity with access to modify delegation records so the subdomains point toward their own nameservers rather than the originals. It’s already too late to recover.
These breaches ultimately lead to data loss, brand reputation damage, and stolen customer data for the enterprise.
Many companies have subdomains pointing to applications hosted by third parties that lack proper security practices. Don’t be one of them
Danger Danger: Dangling CNAME records
There are many ways cybercriminals could exploit unmonitored subdomains to steal information or deface sites. Malicious hackers are finding it easier to take over or exploit the vulnerabilities in the third-party assets within the enterprise’s ecosystem to carry out attacks such as malicious code injection, DNS hijacks or abusing the branded assets of an enterprise. In many instances, password managers automatically fill out login forms on subdomains belonging to the main application. As Chauchefoin recalls, “I still remember that the password manager LastPass used to auto-fill passwords even on subdomains, which could be dangerous in the case of targeted attacks.”
A subdomain takeover attack is a type of attack in which an attacker successfully seizes control over the subdomain in a hijacked DNS. When a DNS record points to a resource that isn’t available, the record itself should be removed from your DNS zone. If it hasn’t been deleted, it’s a “dangling DNS” record and creates the possibility for subdomain takeover. An attacker can leverage that subdomain to perform attacks like setting up phishing forms.
How a hacker takes over a subdomain
The most common situation is when a dangling record points to an expired online asset. By creating an account on this platform and claiming this subdomain, the attacker can deploy arbitrary content on it. It could help them to perform further attacks such as having an impact on primary domains pointing to resources on the one that was just taken over. “It’s also common to point to IP ranges like EC2 or OVH, where attackers could try to rent multiple servers and get the same IP as the previously used if they are lucky enough,” Chauchefoin says.
Detailing on the process, Chauchefoin proclaims that a subdomain takeover is rather easy to accomplish. It simply entails creating an account on a platform and claiming the subdomain.
Let’s assume that domain.com – a site owned by you – is the target and has a subdomain helpdesk.domain.com linked to a Support Ticketing-service. While enumerating all of the subdomains belonging to domain.com, the attacker who stumbles across helpdesk.domain.com, can find out where it belongs by reviewing the subdomain’s DNS records and could potentially take it over if it was abandoned. If an attacker were to take ownership of helpdesk.domain.com, they could build a convincing clone of an official support website, or even of domain.com. Then, by using spear phishing techniques or waiting for victims to fall in the trap via search engines, they could steal sensitive information from them. It would be practically impossible for users to know that they just arrived on a fake, attacker-controller website as the domain name is legit.
Attackers could then push malware, host static resources under this subdomain or expose services, which could then establish a proxy making helpdesk look like domain.com while intercepting the traffic when anyone visits helpdesk.domain.com.
Takeover method #1
Chauchefoin points out that when trying to take over a subdomain, the most common workflow for a hacker is to start with extensive “reconnaissance” to discover existing DNS records. “After the reconnaissance phase, hackers will try to look for any anomaly in the DNS records and probe the exposed services to look for errors which indicate that it is a dangling domain,” he says. Hunters often rely on services that were not originally intended for that use. For instance, Certificate Transparency databases – the open framework for monitoring SSL Certificates – contain millions of entries and are a gold mine, he adds. In many cases, attackers may be able to obtain and install a valid TLS certificate for the vulnerable subdomain to serve their phishing site over HTTPS. Other active techniques involve brute-forcing subdomains based on lists of most common values, naming conventions and permutations. This is where the hacker iterates through a wordlist and based on the response can determine whether or not the host is valid.
Takeover method #2
Another way to do it would be to compromise the target’s DNS servers or even the registrar to change the DNS records associated with the targeted domain. While this method is less common, Detectify co-founder and security researcher Fredrik Nordberg Almroth did it with the .cd ccTLD where he claimed the expiring name server for the Democratic Republic of Congo’s top-level domain before it was going to enter into deletion status.
Takeover method #3
Hackers can also execute second-order subdomain takeovers where vulnerable subdomains which do not necessarily belong to the target are used to serve content on the target’s website. This means that a resource gets imported on the target page, for example, via JavaScript and the hacker can claim the subdomain from which the resource is being imported. More on this, soon to follow.
Three ways you can fail if you overlook the risk
An attacker can make use of stale DNS records to own the AWS S3 bucket or point to your subdomain, there is no longer a use by your organization. Therefore, it can be used to target your users, leak their account details via XSS and phish pages hosted on your companies’ domains. In many cases, an attacker can easily steal a victim user’s cookies and credentials via XSS if they are allowed on the subdomain.
In addition to serving malicious content to users, attackers can potentially intercept internal emails, mount clickjacking attacks, hijack users’ sessions by abusing OAuth whitelisting and abuse cross-origin resource sharing (CORS) to harvest sensitive information from authenticated users.
Seemingly a subdomain takeover can be dangerous, Chauchefoin says that a subdomain takeover may pose a relatively minor threat in itself and is generally part of a bigger picture or attack. However, when combined with other seemingly minor security misconfigurations, it may allow an attacker to cause greater damage.
…larger enterprises face a bigger risk as they can have thousands of subdomains
Why Blue Teams need to care
The impact of a subdomain takeover depends on the nature of the third-party service that the vulnerable subdomain points to. The need to keep a track of all subdomains are not limited to companies transitioning to the cloud.
Chauchefoin says that company executives forgetting about created subdomains is increasingly common. Consequently, it is vital for any Blue Team to be able to identify any change or vulnerability on external assets. “An up-to-date map of public-facing services helps in taking accurate decisions when it comes to removing the legacy ones to reduce the overall attack surface,” he continues.
Of course, subdomain takeover is a risk for any company irrespective of the industry, however, Chauchefoin believes that larger enterprises face a bigger risk as they can have thousands of subdomains. For instance,some time ago The Register reported that subdomains of Chevron, 3M, Warner Brothers, Honeywell, and many other large organizations were hijacked by hackers who redirected visitors to sites featuring porn, malware and online gambling.
Keeping track of your subdomains
Many companies have subdomains pointing to applications hosted by third parties that lack proper security practices. Don’t be one of them. When determining plausible attack scenarios with a misconfigured subdomain – more so after an attacker controls it – it is crucial to understand how the subdomain interacts with the base name and the target’s core service and how these subdomains are used in applications within your infrastructure.
Detecting that a subdomain takeover is being actively exploited is difficult; you may realize it too late. Once a bad actor claims your subdomain, you might not know in time as it will not show up in a scan. The attacker might even put a cat meme on the page and by then, the damage is already done. Remember the hacker ‘Pro_Mast3r’ who took over Donald Trump’s fundraising website due to a DNS misconfiguration issue? The hacker replaced secure2.donaldjtrump.com with an image of a man wearing a fedora with the message:
“Hacked By Pro_Mast3r ~
Attacker Gov’
Nothing Is Impossible
Peace From Iraq.”
What can you do?
Given the urgency to tackle the risk of expired or forgotten subdomains, bringing in external attack surface monitoring can be beneficial. It identifies subdomains that have been misconfigured or unauthorized, so you can find and fix them before a subdomain takeover happens. External subdomain monitoring can help you do a subdomain takeover risk analysis and map out your external attack surface by looking at all expired subdomains. Chauchefoin says, “Going forward, tools like Detectify will become part of the essential toolkit of any Blue Team, as they provide a considerable value for a fraction of the cost of what it would have been to perform it using non-automated means.”
Where Detectify comes in
Chauchefoin explains, “It is hard to keep up with the constant feed of new public vulnerabilities and update vital services in a timely manner. Assuring service continuity is a very costly process, and not all vulnerabilities have the same level of criticality.” As a result, tools like Detectify can help your team prioritize this task by notifying them of the presence of actual exploitable vulnerabilities on the perimeter. In fact, Detectify has over 600+ unique techniques to discover subdomain takeovers. Identifying subdomain takeovers is tricky business as they rely on signature-based tests which are prone to false positives due to outdated signatures.
It is impossible for a single person to stay updated with new vulnerabilities and possible misconfigurations. Integrating a team of hackers in this process allows companies to get actionable proof-of-concepts for virtually every new public research, and even zero-days. Detectify leverages a Crowdsource community of over 400 handpicked ethical hackers, who monitor your subdomain inventory and dispatch alerts as soon as an asset is vulnerable to a potential takeover. Its community of bug bounty hunters constantly monitors targets for changes and continuously has an eye on every single subdomain that they can find.
See what Detectify will find in your online attack surface. Start a 2-week free trial or talk to our experts.
If you are a Detectify customer already, don’t miss the What’s New page for the latest product updates, improvements, and new security tests.
Go hack yourself!