Subdomain Takeover: Businesses Forget, but Hackers Don't Forgive

TMCnet Feature Free eNews Subscription

January 23, 2024

Subdomain Takeover: Businesses Forget, but Hackers Don't Forgive

By Contributing Writer
Alexander Perekalin

Digital assets are easy to forget, and the consequences of that can be drastic. Digital transformation has been going on for more than two decades and doesn’t seem to slow down. According to Harvard Business Review, at least 89% of companies have some digital transformation initiative ongoing.

Lately, digital has become almost a synonym for online. Businesses continue to register domains and subdomains, reaching a total of 359.3 million domain name registrations as of the 3rd quarter of 2023, according to DNIB.com. Each domain can have up to 500 subdomains.

What happens if a business forgets a subdomain?

Notable Cases of Subdomain Takeover

When in 2020 Microsoft (News - Alert) forgot about several subdomains, malicious actors managed to take over 4 of them and advertise Indonesian casinos there. According to ZDNet, these 4 were just a fraction of all Microsoft’s subdomains that were vulnerable to subdomain takeover. Since then, Microsoft has taken care of at least some.

Another notable example happened to Uber. In 2016, cybersecurity researcher Arne Swinnen discovered that one of Uber’s subdomains was vulnerable to subdomain takeover. It turned out that taking control over one subdomain would have been enough to control all of them, because Uber’s Single Sign-On system was based on cookies and vulnerable to cookie theft. As a result, one forgotten subdomain allowed potential attackers to bypass authentication into Uber’s systems altogether.

Fortunately for Uber, Swinnen disclosed everything to Uber in an ethical manner, and they were able to fix the problem. However, the same year Uber became a victim of another attack that led to a massive data breach, exposing 57 million accounts. Uber ended up paying $148 million for failing to disclose this breach.

Microsoft and Uber are not the only companies whose subdomains were discovered to be vulnerable to subdomain takeover. It happened to Starbucks, Slack, United Airlines, and many more.

Why Does Subdomain Takeover Happen?

The reason for subdomain takeover is the so-called dangling DNS. If there’s a canonical name (CNAME) record for a subdomain in the Domain Name System (DNS), but no host is providing content for it, an attacker may create a host and provide their own content for this subdomain.

Usually that happens when a subdomain was used for some period of time, and then the business didn’t need it anymore, so they took the host down, but forgot to remove the DNS record.

There can be many different scenarios as to why that may happen. Here are some examples:

Marketing teams often create subdomains for campaigns and then abandon them shortly after the campaign is over. If they forget to remove the corresponding DNS record, this subdomain might become vulnerable to subdomain takeover. That can also happen if there’s a vulnerability on the landing page builder’s side – like the one that was discovered in Unbounce in 2017.
Website administrators can leave the company for whatever reason, and they can be the only ones who remember about the existence of some subdomains. After the hosts that served content for them go down, it becomes possible to take over these subdomains.
The same can happen during a merger or an acquisition (commonly referred to as M&A). In fact, IBM’s research highlights that data breaches happen to every 1 in 3 companies that go through M&A.
Another typical case is subdomain takeover due to deleted object containers (buckets) in cloud services such as Amazon S3 or Microsoft Azure (in the latter case these containers are called blobs). That happened to the USA's Department of Defence (DoD) in 2020.

There are many other causes and cases, these are just the most typical. Due to the abundance of different attack vectors and the relative ease of attack execution, the number of subdomain takeover attacks continues to increase every year. According to Attaxion, domains, subdomains, and their vulnerabilities constitute a bigger part of the external attack surface for most companies.

The Consequences of a Subdomain Takeover

While one subdomain doesn’t seem like much, the consequences of subdomain takeover for a business can be drastic.

Attackers can use them to run unwanted ads, like in Microsoft’s case that I mentioned at the beginning of this article.
Similarly, attackers can use claimed subdomains for phishing – hosting pages that look the same as the ones the business uses, and collecting personal data from its customers.
A subdomain takeover can easily lead to a data breach, like in Uber’s case, where it was possible to get control of all subdomains and bypass authentication used in Uber’s SSO.
Every cyberattack causes at least some brand reputational damage, and a subdomain takeover is no exception. Especially if it’s discovered by the public before it’s discovered by the company that has registered the subdomain.

Subdomain Takeover Prevention and Mitigation

Mitigating a subdomain takeover (if it didn’t lead to exploitation of any other vulnerabilities) is simple – it’s enough to remove the DNS entry that was pointing to the missing host. However, after that businesses have to deal with all other consequences of a potential breach.

Preventing subdomain takeovers helps avoid such outcomes, but it’s much harder, because the organization needs to have a complete inventory of their subdomains, as well as continuous control of what’s happening with them.

Different teams in the organizations can create subdomains, and not all are equally scrupulous in taking care of them. Not only does the organization need to have a complete inventory of its subdomains, it also should care about patching vulnerable software that is used on these websites. Continuous digital transformation and the ever-growing number of subdomain takeover attacks signify the importance of automation in this area.

To address this issue, security teams have to use tools like External Attack Surface Management (EASM) platforms that automate subdomain enumeration and provide constant monitoring.

EASM platforms assume an outside-in approach, looking at the organization’s attack surface the same way as hackers do. That allows them to discover subdomains that attackers may potentially find, as well as scan them for vulnerabilities. EASMs tools provide the security team with all the necessary information to manage and prioritize vulnerabilities together with continuous monitoring and notifications about issues such as dangling DNS.

Different EASM tools use different techniques to find and attribute assets that belong to the company. The EASM platform’s coverage – the amount of different assets an EASM tool can discover and analyze – plays the key role here. The higher the coverage, the lower the chance of missing something that could be an entry point for attackers, and the better the company is protected from subdomain takeover.

Author: Alexander Perekalin

Alexander Perekalin is a journalist and a cybersecurity enthusiast dedicated to spreading awareness about threats and the means of protecting against them.

» More TMCnet Feature Articles

Get stories like this delivered straight to your inbox. [Free eNews Subscription]

SHARE THIS ARTICLE

LATEST TMCNET ARTICLES

Exploring the Risks and Realities of NSFW AI Chatbots

Mastering Inventory Control: The Power of Serial Number Randomization Programs

Beyond Basics: Unveiling 2024's Cutting-Edge Video Editing App Innovations

Fortress of Data: Why Protecting Your Data is Crucial in the Digital Age

Technological Innovation in Banking: How SoLo Funds is Breaking Traditional Barriers

» More TMCnet Feature Articles