Thousands of Organizations Vulnerable to Subdomain Hijacking
Written by Florian Schweitzer on 30.08.2023
Subdomain Hijacking presents a concerning scenario where attackers take control of websites hosted on subdomains owned by reputable organizations, enabling them to carry out activities such as malware distribution, disinformation campaigns, and phishing attacks. The surge in cloud service adoption coupled with the proliferation of disinformation and phishing efforts has intensified the magnitude of this vulnerability.
Certitude Consulting has detected instances of subdomain hijacking attacks targeting prominent public authorities. While this vulnerability is not novel, we have undertaken a comprehensive analysis to gauge its gravity, yielding alarming outcomes. Through an examination of a limited sample of cloud services and DNS records, we identified over 1,000 susceptible organizations. Among these are notable entities like the Australian Department of Foreign Affairs and Trade, CNN, Stanford University, and FPÖ. However, we assume that the scope of affected domains could encompass several hundred thousand or more.
The implications of a subdomain takeover are far-reaching, encompassing a spectrum of potential attacks:
Malware Distribution: Attackers can employ the subdomain as a hosting platform for distributing malicious software. Disinformation Spread: Malicious actors capitalize on the credibility of reputable entities such as media outlets, government bodies, or universities, using subdomains to disseminate false information. This undermines public trust in reliable sources, fosters disinformation campaigns that manipulate public opinion, and destabilizes communities and societies. Phishing Attacks: Attackers can craft convincing phishing pages using the subdomain to trick unsuspecting users into revealing sensitive information. Social Engineering Attacks: The subdomain can serve as a launching pad for compelling social engineering campaigns, manipulating individuals into disclosing confidential data or engaging in harmful activities.
To forestall potential attacks and raise public awareness about this widespread vulnerability, we have proactively assumed control over websites belonging to particularly susceptible organizations and informed them.
Government, Party, University and Media Websites Affected
We have taken over blogs hosted on WordPress.com for the Australian Department of Foreign Affairs and Trade (https://blog.dfat.gov.au), the UK Meteorological Office (https://blog.theukmetoffice.gov.uk), the US states of Rhode Island (https://blog.health.ri.gov) and Nebraska (https://test.ne.gov) as well as US Based Varobank (https://blog.varobank.com).
Understanding Dangling DNS Records
Exploiting Dangling DNS Records for Subdomain Hijacking
Consequences of Subdomain Hijacking
Preventing Subdomain Hijacking
Notice for the Subdomain’s Owner
A similar approach enabled the forced redirection of subdomains. However, no valid TLS certificate is issued in this case. In this manner, we took control of websites belonging to news network CNN (http://insession.blogs.fortune.cnn.com), the government of the Canadian province Newfoundland and Labrador (http://atippblog.gov.nl.ca), international non-governmental organization Caritas (http://blog.caritas.org), US-based Bankfive (http://blog.bankfive.com), University of California (http://blog.admission.ucla.edu), University of Pennsylvania (http://blog.wic.library.upenn.edu) as well as Stanford University (http://shaqfehgroup.stanford.edu) and redirected them to a newly created WordPress blog (http://subdomainhijackingblog.wordpress.com).
Understanding Subdomain Hijacking
Preventing Subdomain Hijacking
Research Methods and Disclosure