Connect with us

Hi, what are you looking for?


Cloud Security

Dangling DNS Used to Hijack Subdomains of Major Organizations 

Dangling DNS records were abused by researchers to hijack subdomains belonging to major organizations, warning that thousands of entities are impacted.

Researchers have abused dangling DNS records to hijack subdomains belonging to over a dozen major organizations, and they warn that thousands of entities are vulnerable to such attacks. 

The research was conducted by Vienna-based IT security consulting firm Certitude Consulting, whose employees managed to take control of subdomains belonging to governments, political parties, universities, and media companies in an effort to demonstrate the potential risk.

They targeted subdomains belonging to government organizations in the US, Canada, UK and Australia; the Austrian political party FPÖ; cybersecurity firm Netscout; US insurance giant Penn Mutual; CNN; several major universities in the United States (UCLA, Stanford, and University of Pennsylvania); and a couple of financial institutions.

The Certitude researchers configured the hijacked subdomains to redirect visitors to a ‘security awareness notice’ page explaining who they are, what they have done, and how they did it, along with instructions for preventing subdomain hijacking and recovering the subdomain. 

However, a malicious actor could have exploited the DNS weakness for malware distribution, spreading misinformation, phishing attacks, and social engineering. These types of attacks are more likely to succeed if they involve a subdomain belonging to a reputable and trusted organization. 

Certitude said it had identified over 1,000 organizations whose subdomains were vulnerable, but believes this is just the tip of the iceberg. The entities whose domains were hijacked for demonstration purposes have been notified and the cybersecurity firm said some of them have already changed their DNS records to prevent abuse. 

“It was not feasible to inform all >1.000 organizations. Coordination with the Austrian CERT is in progress,” Certitude noted. 

Advertisement. Scroll to continue reading.

The subdomain takeovers leveraged an issue known as ‘dangling DNS’, which occurs when a DNS CNAME record points to a subdomain that no longer exists. This is a widely known problem affecting many organizations that regularly create and delete resources. 

Dangling DNS is often related to cloud services. Organizations associate cloud-based services provided by third parties with DNS records on their own DNS server. However, if the cloud service is abandoned at some point due to no longer being needed or due to the organization’s failure to pay for the service, the DNS records continue to point to the associate domain.

A malicious actor can register the subdomain associated with the dangling DNS record at the cloud services provider, effectively taking control of the subdomain and the content it serves.   

On one hand, organizations need to keep track of their DNS entries to ensure they don’t have dangling records on their servers. On the other hand, Certitude believes cloud services providers also bear some responsibility.

“In most cases, the hijacking of subdomains could be effectively and comprehensively prevented by cloud services through domain ownership verification and not immediately releasing previously used identifiers for registration,” explained Florian Schweitzer, cloud security expert at Certitude Consulting. “Microsoft implemented this for Azure Storage Accounts several months ago. Other providers, such as Amazon Web Services, must fulfill their responsibilities.”

Certitude has not revealed its enumeration methods for dangling DNS records in an effort to prevent abuse. 

Related: HYAS Unveils New Tool for Continuous DNS Monitoring

Related: Cyberespionage Implant Delivered via Targeted Government DNS Hijacking

Related: BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.