Researchers have abused dangling DNS records to hijack subdomains belonging to over a dozen major organizations, and they warn that thousands of entities are vulnerable to such attacks.
The research was conducted by Vienna-based IT security consulting firm Certitude Consulting, whose employees managed to take control of subdomains belonging to governments, political parties, universities, and media companies in an effort to demonstrate the potential risk.
They targeted subdomains belonging to government organizations in the US, Canada, UK and Australia; the Austrian political party FPÖ; cybersecurity firm Netscout; US insurance giant Penn Mutual; CNN; several major universities in the United States (UCLA, Stanford, and University of Pennsylvania); and a couple of financial institutions.
The Certitude researchers configured the hijacked subdomains to redirect visitors to a ‘security awareness notice’ page explaining who they are, what they have done, and how they did it, along with instructions for preventing subdomain hijacking and recovering the subdomain.
However, a malicious actor could have exploited the DNS weakness for malware distribution, spreading misinformation, phishing attacks, and social engineering. These types of attacks are more likely to succeed if they involve a subdomain belonging to a reputable and trusted organization.
Certitude said it had identified over 1,000 organizations whose subdomains were vulnerable, but believes this is just the tip of the iceberg. The entities whose domains were hijacked for demonstration purposes have been notified and the cybersecurity firm said some of them have already changed their DNS records to prevent abuse.
“It was not feasible to inform all >1.000 organizations. Coordination with the Austrian CERT is in progress,” Certitude noted.
The subdomain takeovers leveraged an issue known as ‘dangling DNS’, which occurs when a DNS CNAME record points to a subdomain that no longer exists. This is a widely known problem affecting many organizations that regularly create and delete resources.
Dangling DNS is often related to cloud services. Organizations associate cloud-based services provided by third parties with DNS records on their own DNS server. However, if the cloud service is abandoned at some point due to no longer being needed or due to the organization’s failure to pay for the service, the DNS records continue to point to the associate domain.
A malicious actor can register the subdomain associated with the dangling DNS record at the cloud services provider, effectively taking control of the subdomain and the content it serves.
On one hand, organizations need to keep track of their DNS entries to ensure they don’t have dangling records on their servers. On the other hand, Certitude believes cloud services providers also bear some responsibility.
“In most cases, the hijacking of subdomains could be effectively and comprehensively prevented by cloud services through domain ownership verification and not immediately releasing previously used identifiers for registration,” explained Florian Schweitzer, cloud security expert at Certitude Consulting. “Microsoft implemented this for Azure Storage Accounts several months ago. Other providers, such as Amazon Web Services, must fulfill their responsibilities.”
Certitude has not revealed its enumeration methods for dangling DNS records in an effort to prevent abuse.