Infection Method: Domain Takeover

A domain takeover is a cyberattack when an attacker gains control of a domain name owned by another person or organization. This can have severe consequences as the attacker can use the domain for malicious purposes, such as spreading malware, phishing, or taking control of a company's online presence.

Below, we will look at different ways in which such a takeover can take place:

1. Expired Domain

A common possibility of domain takeover is that the owner of a domain forgets to renew it. When a domain registration expires, it may be available for purchase by anyone. Attackers can monitor the expiration of valuable domains and quickly register them as soon as they become available. If you have set up automatic renewal with your domain registrar, this should not happen. But sometimes companies (or people) get rid of old domains. This could be because the acquired company is now fully integrated and the domain is no longer needed, or because a project has expired, or or or. The problem, then, is that these domains may still be included in the internal configurations and firewall rules. The attacker then exploits the extended privileges typically intended for their own systems. If the old domains are now for sale, the attacker has purchased them regularly, and the own configurations still need to be updated, an attack can be carried out.

2. Domain-Hijacking

In some cases, attackers can use social engineering techniques to trick domain registrars or Domain Name System (DNS) providers into giving them domain control. This could mean impersonating the domain owner or providing false information to the domain registrar. Here, however, you have to think in different directions. Here is an example of the domain used for a reverse attack on a Maven repository. An open-source project named ABC does not have its associated domain secured. The Maven artefacts are stored in the central Maven Central, for example, under “org.abc”. The attacker now registered the domain abc.org and then contacted the operator of Maven Central, saying that he needed access to his Maven repository. He has lost his access to data. The operator of Maven-Central then asks the applicant to store a TXT entry with a specific code (in this case, it is the ticket number of the request) in the DNS configuration. Once this code is available via DNS, rights to the repository are granted. The attacker can now deposit his Maven artefacts in the repository and thus make them generally available.  

3. DNS-Misconfiguration

Sometimes, domain takeovers occur due to misconfigurations in DNS settings. Attackers can exploit these misconfigurations to gain control of the domain or subdomains and thereby redirect traffic to malicious servers.

3.1 What Is a Critical DNS Misconfiguration?

A critical Domain Name System (DNS) misconfiguration is an error or error in the configuration of a DNS system that can have severe consequences for the availability, security, and functionality of a domain or network. DNS is a crucial Internet component that translates human-readable domain names (like example.com) into IP addresses that computers use to identify and communicate with each other. When DNS misconfiguration occurs, it can lead to various problems, including:

1. Service Interruption

A misconfigured DNS record can cause service outages, making a website or other online services inaccessible.

2. Vulnerabilities

Misconfigurations can lead to security vulnerabilities, e.g., B., to reveal sensitive information, enable unauthorized access, or enable DNS-related attacks such as DNS cache poisoning or DNS spoofing.

3. Data Loss

Incorrect DNS configurations can lead to data loss as changes to DNS records can result in email misdirection or loss of crucial domain-related information.

4. Performance Issues

Suboptimal DNS configurations can slow down domain name resolution and cause delays in website loading or other network activity.

5. Traffic Diversion

DNS misconfigurations can inadvertently direct traffic to the wrong IP addresses or locations, potentially leading to data leaks, man-in-the-middle attacks, or other unintended consequences.

6. Domain-Hijacking

This is exactly the case of domain takeover considered here, in which unauthorized persons gain control of a domain and the services associated with it. Common examples of critical DNS misconfigurations include errors in DNS records (e.g., A, CNAME, MX, TXT records), incorrect IP address assignments, outdated or expired DNS information, and unauthorized changes to DNS settings.

4. Phishing/Theft Of Credentials

Attackers can also use phishing attacks to trick domain owners or those with administrative access to domain management accounts into revealing their credentials. Once they have the credentials, they can log in and take control of the domain.

5. Subdomain-TakeOver

A subdomain takeover occurs when an unauthorized person or organization gains control of a subdomain of a domain and thereby effectively takes ownership of it. This unauthorized control can lead to various security risks and potential misuse. The key factors contributing to subdomain takeover are misconfigurations, abandoned resources, and external service integrations.

6. DNS-Cache-Poisoning

Attackers may sometimes attempt to poison DNS caches, causing them to resolve a legitimate domain into a malicious IP address. This can lead to a temporary domain takeover as users are redirected to the attacker's server rather than the intended website.

Once the attacker gains control of a domain, they can use it for various malicious purposes, such as hosting fake websites for phishing attacks, distributing malware, or intercepting communications. This can damage the domain owner's reputation, jeopardize user security and privacy, and result in legal and financial consequences for the legitimate domain owner.

An Example From History

A notable historical example of a domain takeover is the case of the Syrian Electronic Army (SEA) in 2013. The SEA was a group of hacktivists who supported the Syrian government and targeted various websites, social media accounts, and domains to promote their political agenda. One of the most high-profile incidents involved the takeover of the Twitter accounts and the domain of several well-known media organizations.

In April 2013, SEA compromised the domain registration account of MarkMonitor, a domain registrar and provider of brand protection services. Using stolen credentials or other means, SEA accessed the New York Times' domain registration records. They changed the domain's DNS records, redirecting traffic from the New York Times website to a server controlled by the SEA. As a result, visitors to The New York Times website were greeted with a message from SEA instead of the expected news content.

This domain takeover disrupted the New York Times' online operations and raised concerns about the security of domain registrars. The incident highlighted the importance of protecting domain management accounts and the potential impact of domain takeovers on well-known media organizations and their readership.

How Do You Protect Yourself From These Attacks?

To protect yourself from domain takeovers, it is essential for domain owners to:

1. Keep your domain registrations current and renew them on time.
2. Use strong authentication and authorization mechanisms for domain management accounts.
3. Regularly monitor and check your DNS configurations for misconfigurations.
4. Educate your team about the risks of social engineering and phishing attacks.
5. Use domain security services and technologies to detect and prevent unauthorized changes to domain settings.

This is not an exhaustive list, but it is a good start to preventing the most common attack vectors.

Conclusion

We have seen many different attack vectors that can lead to a loss of control of the (sub)domain. These attacks are still prevalent and are successfully used even on large companies. Unfortunately, many small companies have exactly these vulnerabilities of abandoned resources in the sub-domain area. I recommend that every project member pay close attention to what else can be actively found in the configurations of the firewalls and DNS, even when it comes to testing and development infrastructure.

Happy Coding

Sven