Subdomain takeovers continue to be a major security threat for organizations using Cloud to deliver public services.

Cloud infrastructure allows organizations to deploy environments quickly and tear them down on-demand.

Domain name systems (DNS) of the cloud infrastructure are continuously updated to point to newly deployed resources. Unfortunately, organizations often fail to remove old pointers in the DNS either because they were manually created or the cleanup job did not take DNS changes into account. This leads to a dangling domain record, also known as an orphaned domain, that is no longer associated with an active website or an online resource.

Dangling domains can be a security risk because they may be vulnerable to subdomain takeovers or other types of attacks.

Old subdomains are a risk

In this scenario, an attacker can take control of a subdomain (e.g., "blog.mycompany.com") that was configured to point to a cloud service no longer in use or has been misconfigured. This vulnerability allows the attacker to host malicious content on the subdomain and likely compromise the security of the main domain (e.g., "mycompany.com"). The impacted organization can be exposed in multiple ways.

Subdomain takeover can be used to steal sensitive data by hijacking the traffic directed towards it - if it is still serving the expected content. This can compromise sensitive data like credit card numbers, passwords, and personal information (PII). This can in turn lead to reputational and financial damage for the organization, leading to regulatory actions.

For example, a dangling domain on AWS could refer to a domain that was previously associated with an Amazon S3 bucket, CloudFront distribution, or on ElasticBeanstalk, but is no longer being used or is misconfigured or mismatched. A similar case can exist in Azure Storage, Azure DNS, Google Storage, and Google Cloud DNS.

To avoid subdomain takeovers, organizations must carefully manage their subdomain configuration and ensure that they are not pointing to cloud services that are no longer in use. This is usually accomplished through the use of DNS records, which specify the IP addresses to which subdomains should point. Organizations can help prevent subdomain takeovers and protect the security of their domains by carefully managing these records and regularly reviewing them to ensure that they are up to date.

Another approach towards reducing subdomain takeover is to reverse the cleanup process when the infrastructure tear-down or clean-up happens. The usual order of clean-up or deletion should begin from the DNS service like Route53, Azure DNS, or Google Cloud DNS, followed by the CDN entry, and then finally the deletion of the resource. This is the exact reverse order in which the services are created in the first place.

Tools can help

Organizations can use security tools and services that can monitor for subdomain takeovers and notify them if an attack is detected to protect their subdomains in addition to managing DNS records. These tools can assist businesses in taking swift action to counter potential threats and stop subdomain takeovers.

In the end, being proactive and regularly reviewing and updating the configuration of your subdomains to make sure they are secure and are not pointing to cloud services that are no longer in use will help prevent subdomain takeovers. By taking these actions, you can aid in defending your company's assets against subdomain takeovers and other kinds of cyberattacks arising from them.

The following video explains subdomain takeovers