Disinformation Spread<\/strong>: Malicious actors capitalize on the credibility of reputable entities such as media outlets, government bodies, or universities, using subdomains to disseminate false information. This undermines public trust in reliable sources, fosters disinformation campaigns that manipulate public opinion, and destabilizes communities and societies.
Phishing Attacks<\/strong>: Attackers can craft convincing phishing pages using the subdomain to trick unsuspecting users into revealing sensitive information.
Social Engineering Attacks<\/strong>: The subdomain can serve as a launching pad for compelling social engineering campaigns, manipulating individuals into disclosing confidential data or engaging in harmful activities.<\/p>\n\n\n\n
To forestall potential attacks and raise public awareness about this widespread vulnerability, we have proactively assumed control over websites belonging to particularly susceptible organizations and informed them.<\/p>\n\n\n\n
Government, Party, University and Media Websites Affected<\/h2>\n\n\n\n
We have taken over blogs hosted on WordPress.com for the Australian Department of Foreign Affairs and Trade (https:\/\/blog.dfat.gov.au<\/a>), the UK Meteorological Office (https:\/\/blog.theukmetoffice.gov.uk<\/a>), the US states of Rhode Island (https:\/\/blog.health.ri.gov<\/a>) and Nebraska (https:\/\/test.ne.gov<\/a>) as well as US Based Varobank (https:\/\/blog.varobank.com<\/a>).<\/p>\n\n\n\n Additionally, AWS S3 Buckets referenced by DNS entries from German Ergo Group’s insurance subsidiary Nexible (http:\/\/s3.nexible.de\/index.html<\/a>) and Germany-based tobacco conglomerate Dannemann (http:\/\/img.dannemann.com\/index.html<\/a>) have been secured by Certitude Consulting. Furthermore, the podcast platforms hosted by Buzzsprout for the Austrian political party FP\u00d6 (https:\/\/podcast.fpoe.at<\/a>), Nasdaq-listed technology firm Netscout Systems (https:\/\/podcast.netscout.com<\/a>) and US insurance giant Penn Mutual (https:\/\/podcast.pennmutual.com\/<\/a>) have been taken over. The situation becomes even more concerning as valid TLS certificates were issued for websites hosted on platforms like WordPress or Buzzsprout. This aspect further magnifies the illusion of content legitimacy, making the potential threats even harder to discern.<\/p>\n\n\n\n A similar approach enabled the forced redirection of subdomains. However, no valid TLS certificate is issued in this case. In this manner, we took control of websites belonging to news network CNN (http:\/\/insession.blogs.fortune.cnn.com<\/a>), the government of the Canadian province Newfoundland and Labrador (http:\/\/atippblog.gov.nl.ca<\/a>), international non-governmental organization Caritas (http:\/\/blog.caritas.org<\/a>), US-based Bankfive (http:\/\/blog.bankfive.com<\/a>), University of California (http:\/\/blog.admission.ucla.edu<\/a>), University of Pennsylvania (http:\/\/blog.wic.library.upenn.edu<\/a>) as well as Stanford University (http:\/\/shaqfehgroup.stanford.edu<\/a>) and redirected them to a newly created WordPress blog (http:\/\/subdomainhijackingblog.wordpress.com<\/a>).<\/p>\n\n\n\n The Domain Name System (DNS) operates as a hierarchical and distributed naming system for online resources such as servers and services. When an organization opts for a cloud service, it creates an account within the service, incorporates resources and materials, and subsequently associates the cloud service with its DNS records on its own DNS servers:<\/p>\n\n\n When a domain or subdomain has been associated with a specific service hosted on a cloud platform, and that service is no longer in use (due to subscription cancellation or failure to pay for the service), the DNS records continue to point to a non-existent cloud resource, creating what’s known as a “dangling” DNS record:<\/p>\n\n\n If cloud service providers do not implement specific countermeasures, unauthorized attackers could register an account on the cloud platform and link it to the dangling DNS records. As the organization’s DNS records still point to the endpoint of the cloud platform, the attacker effectively seizes control over the subdomain, a scenario referred to as “subdomain hijacking” or “subdomain takeover”:<\/p>\n\n\n Certitude Consulting recommends that all organizations to regularly audit DNS records and to deactivate cloud resources only after associated DNS records have been removed.<\/p>\n\n\n\n In most cases, the hijacking of subdomains could be effectively prevented by cloud services through domain ownership verification and not immediately releasing previously used identifiers for registration. Therefore, Certitude Consulting also urges cloud service providers to implement such protection mechanisms. Microsoft implemented this for Azure Storage Accounts several months ago. Other providers, such as Amazon Web Services, have not yet implemented such mechanisms.<\/p>\n\n\n\n Enumeration methods for dangling DNS records or any vulnerability details identified during this research will not be disclosed publicly at this time. All organizations mentioned in this post have been contacted because of their dangling DNS records. It was not feasible to inform all >1.000 organizations. Coordination with the Austrian CERT is in progress.<\/p>\n\n\n\n Archived URLs:<\/p>\n\n\n\n https:\/\/web.archive.org\/web\/20230829125434\/https:\/\/blog.dfat.gov.au\/<\/a> <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" We identified >1000 organizations susceptible to subdomain hijacking. Among them are Australian foreign ministry, CNN, Stanford University, FP\u00d6, US states, German enterprises, US banks, universities, Governments,… We only analyzed a limited sample of cloud services and DNS records. We assume that the total of affected domains could be several hundred thousand or more.<\/p>\n","protected":false},"author":15,"featured_media":2175,"comment_status":"closed","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60,103],"tags":[],"class_list":["post-2151","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical-analysis","category-vulnerability-research-en"],"_links":{"self":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/2151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/comments?post=2151"}],"version-history":[{"count":22,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/2151\/revisions"}],"predecessor-version":[{"id":2207,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/posts\/2151\/revisions\/2207"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/media\/2175"}],"wp:attachment":[{"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/media?parent=2151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/categories?post=2151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certitude.consulting\/blog\/wp-json\/wp\/v2\/tags?post=2151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2023\/08\/0-blog.dfat_.gov_.au_.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2023\/08\/0-podcast.fpoe_.at_.png\")
<\/figure>\n\n\n\nUnderstanding Subdomain Hijacking<\/h2>\n\n\n\n
![\"\"](\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2023\/08\/Subdomain-Hijacking1.drawio.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2023\/08\/Subdomain-Hijacking2.drawio.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2023\/08\/Subdomain-Hijacking3.drawio.png\")
<\/figure>\n<\/div>\n\n\nPreventing Subdomain Hijacking<\/h2>\n\n\n\n
Research Methods and Disclosure<\/h2>\n\n\n\n
References<\/h2>\n\n\n\n
https:\/\/web.archive.org\/web\/20230830055441\/https:\/\/blog.theukmetoffice.gov.uk\/<\/a>
https:\/\/web.archive.org\/web\/20230830055450\/https:\/\/blog.health.ri.gov\/<\/a>
https:\/\/web.archive.org\/web\/20230830055510\/https:\/\/test.ne.gov\/<\/a>
https:\/\/web.archive.org\/web\/20230830055605\/https:\/\/blog.varobank.com\/<\/a>
https:\/\/web.archive.org\/web\/20230830055650\/https:\/\/podcast.fpoe.at\/2158749\/13491196-security-awareness-notice<\/a>
https:\/\/web.archive.org\/web\/20230830055750\/https:\/\/podcast.netscout.com\/2235256\/13491204-security-awareness-notice<\/a>
https:\/\/web.archive.org\/web\/20230830060251\/https:\/\/podcast.pennmutual.com\/2235346\/13491211-security-awareness-notice<\/a>
https:\/\/web.archive.org\/web\/20230830055940\/http:\/\/s3.nexible.de\/index.html<\/a>
https:\/\/web.archive.org\/web\/20230830060404\/http:\/\/img.dannemann.com\/index.html<\/a>
https:\/\/archive.is\/RIVVu<\/a>
https:\/\/archive.is\/AqTBG<\/a>
https:\/\/archive.is\/f0SfN<\/a>
https:\/\/archive.is\/6kb5c<\/a>
https:\/\/archive.is\/poPl2<\/a>
https:\/\/archive.is\/ZLuWG<\/a>
https:\/\/archive.is\/YIPVZ<\/a>
<\/p>\n\n\n\n