What Is Subdomain Takeover and Is It A Critical Challenge for Organizations?

In 2016, Uber experienced a subdomain takeover that cost them a settlement of $148 million. This breach exposed sensitive information of both drivers and passengers. The root cause? An unclaimed Amazon Web Services (AWS) S3 bucket linked to one of Uber's subdomains. The attacker claimed the S3 bucket and was able to control the content served from the subdomain.

What is a subdomain takeover?

Subdomain takeover is a security vulnerability that occurs when a subdomain of a website or application is no longer in use but still points to a service that an attacker can control. This vulnerability allows the attacker to take over the subdomain and potentially host malicious content, steal information, or perform phishing attacks.

Let's dive a bit deeper into subdomain takeover.

Since you can’t do everything on your own, every organization depends on third-party services for something or another. This dependency in turn increases your attack surface. A subdomain takeover occurs when a third-party service that you once integrated with – maybe for development, testing, or a short-term campaign – gets neglected. Perhaps the project concluded, or the service underwent a revamp, leaving behind the abandoned subdomain. However, the DNS configuration continues to route traffic to this incorrect space. This is where the trouble begins.

Attackers spot these abandoned subdomains. They recognize that an unattended gateway can lead them straight into your organization's online ecosystem. Once inside, attackers could craft convincing phishing sites, trapping unsuspecting visitors into revealing sensitive information. They might even set the stage for a broader attack on your organization and its stakeholders.

How would an attacker perform Subdomain Takeover and why would he want to do so?

Here's a general overview of the steps an attacker might take:

1. Identify Target: The attacker selects a target organization and starts researching their online presence, including their main domain and any associated subdomains.
2. Find Abandoned Subdomains: The attacker looks for subdomains that are no longer in use by the organization. This can be done through various methods, such as searching public DNS records, using subdomain enumeration tools, or analyzing the organization's web presence.
3. Verify Ownership: The attacker checks if they can claim ownership of the abandoned subdomain. This can involve registering the subdomain themselves or manipulating the DNS settings to point the subdomain to their own server or service.
4. Control the Subdomain: Once the attacker has successfully claimed or controlled the subdomain, they have the ability to host their own content or redirect traffic to their desired location.

Now, let's discuss why an attacker would want to perform a subdomain takeover:

1. Phishing Attacks: By taking over a subdomain, the attacker can create convincing fake login pages or forms that mimic the legitimate website. They can then trick users into entering their credentials, which they can capture and use for unauthorized access to these accounts.
2. Malware Distribution: Attackers can use a compromised subdomain to host and distribute malware. They can embed malicious code or links within the subdomain, and when unsuspecting users visit the compromised subdomain, their devices will become infected with malware without their knowledge.
3. Reputation Damage: By defacing the website or hosting malicious content on a subdomain, attackers can tarnish the reputation of the targeted organization. This can lead to loss of customer trust, financial losses, and damage to the organization's brand image.
4. Data Theft: If the subdomain is associated with sensitive data or services, attackers can exploit the takeover to gain unauthorized access to that information. This can include personal user data, financial information, or any other valuable data stored or processed by the compromised subdomain.
5. Distributed Denial of Service (DDoS) Attacks: In some cases, attackers may use a compromised subdomain to launch DDoS attacks against the targeted organization. By leveraging the resources of the subdomain, they can flood the organization's servers with a high volume of traffic, causing service disruptions.

The oversight while protecting against Subdomain takeovers

Organizations often prioritize detecting the parent domain infringement over subdomain abuse, despite the similar risks involved. This is primarily because subdomain infringement falls into a grey area of responsibility within organizations, where no specific team is tasked with addressing it. There are two main reasons for this:

1. Difficulty in Detection: While the WHOIS system provides a straightforward way to find brand-infringing parent domains, there is no equivalent universal system for searching subdomains. Passive DNS data can be used to detect subdomains, but it requires significant technical infrastructure and investment to collect and analyze the necessary data. Until recently, the tools and data sources required for effective subdomain takeover detection were not widely available, leading to a lack of awareness and adoption of this practice.
2. Perception as a Legal Issue: Traditionally, domain infringement detection and mitigation have been the responsibility of either the brand protection or the legal team, rather than security teams. As a result, most anti-infringement programs focus on detecting infringement in parent domains, as it carries more weight in trademark infringement claims. Security teams, who are more likely to have access to relevant data sources, may not be aware of the value of this data in detecting subdomain infringement. This means that those who are concerned about subdomain infringement may not have the necessary tools or awareness to address the problem effectively.

To address this issue, organizations need to recognize the importance of subdomain abuse and adapt their defences accordingly. This includes investing in the necessary technical infrastructure to collect and analyze subdomain data, as well as involving security teams in the detection and mitigation of subdomain infringement. By taking a proactive approach to subdomain abuse, organizations can better protect their brand, users, and overall security posture.

How can external attack surface management help mitigate subdomain takeover?

An effective way to tackle the risk of expired or forgotten subdomains is to implement an external attack surface monitoring (EASM) tool like Horizon.

EASM tools provide the capability to identify misconfigured or unauthorized subdomains, allowing organizations to proactively find and fix them before a takeover occurs. By conducting subdomain takeover risk analysis and mapping the external attack surface, EASM tools offer valuable insights and help prevent potential attacks. Additionally, maintaining an up-to-date inventory of subdomains and hosts, along with staying vigilant about the latest DNS vulnerabilities, further strengthens subdomain security. As EASM tools become an essential part of the Blue Team's toolkit, they provide significant value at a fraction of the cost compared to non-automated methods.

‍