Subdomain Takeover Attacks

Written by Bar Hajby, Penetration Tester at Clear Gate Cyber Security and Research.

This article is also available on our blog:

https://www.clear-gate.com/blog/subdomain-takeover-attacks/

Introduction

While not as widely recognized as other cybersecurity threats, subdomain takeover attacks have gained significant attention in recent years due to their potential to cause severe security breaches. These attacks occur when an adversary takes control of a subdomain that has been misconfigured or left vulnerable, often due to changes in DNS settings or the termination of associated services. The consequences of a successful subdomain takeover can be devastating, leading to unauthorized access, phishing attacks, and reputation damage. This article will explore the mechanics of subdomain takeovers, discuss the potential impacts, and provide practical guidance on preventing your domain from falling victim to these critical vulnerabilities.

What is a Subdomain Takeover?

A subdomain takeover happens when an adversary grabs control of an organization’s subdomain. This subdomain points, for example, to a web application, such as a cloud service (like AWS, Azure, or GitHub Pages) that the company doesn’t use anymore. Despite the service being discontinued, the associated DNS record—often a CNAME or A record—remains in place, allowing the subdomain to resolve to that service. This oversight creates a vulnerability, as an adversary can claim the unutilized resource on the cloud service and effectively hijack the subdomain. The adversary can then leverage this control to serve malicious content, launch phishing attacks to steal sensitive data or damage the organization’s brand reputation by using the compromised subdomain for nefarious purposes.

How do Subdomain Takeovers Occurs?

Subdomain takeovers typically happen in the following scenario:

1. Inactive Services: organizations often move services between different cloud providers or simply discontinue a service. However, they may forget to remove the DNS records associated with the old subdomain.
2. Orphaned DNS Records: the DNS record points to the service provider, even though the resource (like a web application or storage bucket) has been deleted.
3. Attacker Exploitation: an adversary who notices the subdomain is still pointing to an unclaimed resource can register the resource (like an S3 bucket or GitHub pages site) under their control, effectively taking over the subdomain.
4. Execution of Malicious Activities: once the adversary has gained control, they can host malicious content, phishing pages, or other harmful material that appears to come from a legitimate organization.

Real-Life Example

To understand the attack vector better, a real-life scenario can be demonstrated briefly. In 2016, Uber faced a significant security breach due to a subdomain takeover, exposing sensitive information about drivers and passengers, stemming from an unclaimed Amazon Web Services (AWS) S3 bucket linked to one of Uber’s subdomains, which allowed an adversary to control it and manage content from the affected subdomain, leading to severe consequences for Uber, including a $148 million settlement, highlighting the critical need for organizations to properly manage and monitor their DNS configurations to prevent such vulnerabilities.

Consequences

The consequences of a subdomain takeover can be severe. Following are the possible attack scenarios that can arise from the subdomain takeover vector:

1. Phishing Attacks: adversaries can host fake login pages or other phishing sites on the hijacked subdomain, tricking users into providing sensitive information as they can from a legitimate source.
2. Reputation Damage: hosting inappropriate or malicious content on a legitimate-looking subdomain can damage an organization’s reputation.
3. Data Theft: adversaries might use the subdomain to intercept sensitive data, especially if users or systems trust the subdomain based on its legitimate origin.
4. Spreading Malware: the adversary could host malware on the hijacked subdomain, infecting system users.

Mitigation

Preventing subdomain takeovers involves both proactive and reactive measures:

1. Regular Audits: conduct regular audits of your DNS records to ensure that all subdomains are actively used. Remove any DNS entries that point to decommissioned services.
2. Monitor for Orphaned Resources: implement monitoring tools to alert you when a DNS record is pointing to a service that has been decommissioned or is inactive.
3. Use DNS Wildcard Records Carefully: be cautious with DNS wildcard records, as they can make it more challenging to identify orphaned subdomains.
4. Claim Resources Before Decommissioning: before discontinuing a service, ensure that no DNS records are pointing to it or claim the resource (like a cloud bucket) to prevent adversaries from doing so.
5. Automated Scanning: automated tools are used to scan for subdomains that might be vulnerable to takeover.
6. Security Awareness: train your development and operations teams to be aware of the risks associated with subdomain takeovers and to follow best practices in managing DNS and cloud services.

Conclusions

Subdomain takeover attacks are a subtle yet powerful threat with severe consequences if not addressed. Organizations can significantly reduce the risk of a subdomain takeover by understanding how these attacks occur and taking proactive steps to manage DNS records and cloud services. Regular audits, monitoring, and security awareness are crucial to ensuring that your domain remains secure and out of the hands of adversaries.

Staying vigilant and proactive is the best defense against subdomain takeover attacks. By securing your subdomains, you protect not only your organization’s assets but also its reputation and the trust of your users.

Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in their subdomains, which is an important priority when developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations protect valuable data from potential threats.

References

• Uber Wildcard Subdomain Takeover
• Comprehensive Synopsis of 217 Subdomain Takeover Reports
• Subdomains Takeover – What is it? How to exploit it? Where to find them?
• Subdomain Takeover – uber.rider.com