Thousands of Subdomains at Risk of Takeover

Summary

Researchers at RedHunt Labs discovered more than 424,000 subdomains with misconfigured CNAME records. Additionally, they noted that 139 of Alexa’s top 1,000 domains may have fallen prey to subdomain takeovers. A CNAME, or canonical name, is the properly designated host name of a computer or network server. CNAME records are often added to a domain’s DNS settings when using cloud services in order to verify domain ownership. Deleting a cloud hosted web page does not guarantee deletion of the DNS entry point to the host domain, which may allow an attacker to take control of these abandoned websites. Of the estimated 400,000 vulnerable subdomains, roughly 63 percent were e-commerce sites, approximately 1,000 belonged to higher education, and around 200 nonfunctional .gov subdomains had misconfigured CNAME records. These sites can be used to impersonate legitimate businesses and organizations for malicious purposes, such as installing malware and stealing personal information or payment card data.

Recommendations

The NJCCIC recommends website administrators map infrastructure in order to discover and track vulnerabilities and limit the attack surface. If a service is decommissioned, be sure to remove the associated DNS entry. Additional guidance can be found in the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) advisory and RedHunt Labs’ blog post, CISO’s Guide to Attack Surface Management (ASM). Further details can be found in the Daily Swig article.