Threat Bulletin: Domain Takeover
Protecting Online Ecosystems: Dangling DNS Records
As of the time of writing, based on observables of external, public-facing online assets, Cyberpion has identified a number of cloud-hosted subdomains or IP addresses that have been abandoned by their original owners, however those owners continue to maintain a valid DNS record that points to those domains or IP addresses.
As part of our ethical disclosure program, Cyberpion will attempt to notify organizations where we have detected this issue.
The Potential Vulnerability
The potential vulnerability lies within ability of public-cloud services to “rent” a resource, with a unique IP address or FQDN, and then just as quickly release that resource when it’s no longer needed.
When a resource is released, the broken connections (DNS records) can be weaponized and exploited by malicious actors.
Once an attacker controls the content that the valid DNS record points to, additional exploits are possible: If the destination served scripts, an attacker can serve their own script, thereby creating persistent XSS or Magecart-style attacks. Less critical inclusions like CSS, image, font or even hyperlinks, that point to resources in the bucket, can be used to both change the behavior of the sites and/or infect the endpoint making the requests with malware.
Removing / Mitigating the Vulnerability
The following video provides an brief explanation of steps to take to in order to mitigate this vulnerability within your own online ecosystem.