Subdomain takeover attacks on the rise and harder to monitor

A research from Detectify found that subdomain takeovers are on the rise but are also getting harder to monitor as domains now seem to have more vulnerabilities in them.

In 2021, Detectify detected 25% more vulnerabilities in its customers’ web assets compared to 2020 with twice the median number of vulnerabilities per domain, demonstrating the outsized impact an external attack surface monitoring (EASM) tool can have on an organization’s cybersecurity programme.

The modern infrastructure is controlled by the DNS with pointers to both internal and third-party services. As a result, organizations are simultaneously expanding their attack surface and inviting potential cyber threats. Unknown subdomains can be challenging, as they are not always closely monitored. When the service which points to the subdomain expires or is forgotten, they become a potential foothold or entry point for attackers to steal sensitive company information or launch phishing campaigns.

Over the past year, the research narrowed in on a recent trend – as attack surfaces grow, so do subdomain takeovers. Domain takeovers grew 20% faster with the increase in attack surfaces. The research found that of the number of scanned apex and subdomains from 2020 to 2021, vulnerabilities increased as much as 25%.

Subdomain takeovers and vulnerabilities per domains on the rise

Over the past year, a 20% increase was seen in domain takeovers. Out of the assets scanned – which includes apex domains and subdomains – 25% more vulnerabilities were seen in 2021 than in 2020.

In addition, the median number of vulnerabilities per domain has increased 100% since 2020. The research shows that not only are more domains vulnerable to subdomain takeovers, but above all, apex domains typically contain more vulnerable subdomains now than in the past.

Background: What are subdomains and why are they important?

Subdomains are an additional part of a larger domain under the Domain Name System (DNS) structure. For instance, blog.acme.com and helpdesk.acme.com are subdomains where acme.com is an apex domain. Subdomain takeovers occur when an agent gains control over a subdomain of a target domain. This can happen when the subdomain has a canonical name in the DNS, but no host is providing content for it, which can happen because either a virtual host hasn’t been published yet or a virtual host has been removed.

Subdomain takeover can also be done by DNS hijacking where the attacker compromises the target’s name server records. Attackers can exploit DNS misconfigurations to hijack subdomains that are considered as trusted by the target website. While this method is less common, the severity is typically a lot higher in the latter case.

Mitigation

While it continues to remain an underestimated and widespread vulnerability, the rise of cloud solutions certainly has further escalated the increase in subdomain takeovers. Attackers continue to up their game and use more sophisticated methods to infiltrate a company, and without a proper monitoring system, it is harder to monitor them. The only way is to keep an inventory of all subdomains created and deploy an external attack surface management tool to continuously scan and monitor them for any potential bugs.

Rickard Carlsson, CEO of Detectify further explained: “With attack surfaces growing and the DNS becoming the heart of the infrastructure, we will likely see subdomain takeover vulnerabilities increasing. Subdomain takeover attacks have gotten way more complex since the concept was first introduced by security researchers back in 2014. Our data suggests they’re harder to keep control of as they have started appearing in more advanced software services.”