Podcast
Root Causes 373: Massive Brand Hijack Subverts More Than 21,000 Domains and Subdomains
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
March 29, 2024
A massive name space attack has hijacked more than 21,000 domains and subdomains, including a who's who list of major global brands. This huge and innovative attack takes advantage of inherited trust in abandoned domains. We explain what is happening.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanOkay, so this is a news item that is all over the news. You can read about it in pretty much any place that covers computer press so I'm not going to point you at a specific article. But there recently has been information released by a company called Guardio Labs. They talk about a massive domain hijacking attack that involves more than 8000 domain names and more than 13,000 subdomains, and this is an attack called ResurrecADS. R-e-s-u-r-r-e-c-A-D-S. So Jason, what's going on here?
Jason SorokoWe had podcasted on this previously, the idea of this.Tim CallanYeah.Jason SorokoRight? Which is the idea that - orphaned subdomains was our topic. Orphaned subdomains that were hosted in the cloud might have IP addresses that are no longer associated with those subdomains, or they are and the subdomains are no longer being used by the customer of the public cloud service. And so therefore, bad guys are now trying to enumerate this and figuring out oh, geez, there's a whole bunch of subdomains that are ready to go that I can start imprinting with - - all I got to do is take that IP address, and away I go. So Tim, there's an expansion to the story. And by the way, let’s start quoting the numbers here of the numbers of domains and subdomains being affected here, right. 8000s domains and 13,000 subdomains and I bet you, Tim, that's just the beginning, to be honest.
Tim CallanSure. And they rattle off a bunch. I mean, it's a bunch of huge brands. Here's a list I have in front of me, the ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, Price Waterhouse Coopers, Swatch, Symantec, The Economist, UNICEF and VMware. And that's just some of them.Jason SorokoYeah. I bet you it's - - let's just be honest. It's probably almost everyone.Tim CallanYeah. With that number, it has to be.Jason SorokoYeah. So Tim, here's what we didn't talk about in the last podcast and what I want to, here's what the story is adding to what we talked about previously. It's this.So, the bad guys have figured out one step further. It's not just hey, I'm gonna set up a subdomain against the economist, and therefore I'm going to set up a phishing attack let’s say. It goes beyond that because now these attackers have figured out that there is a lot of trust inheritance between domains and subdomains, Tim. In fact, let me quote directly from one of the articles I'm reading here, that says – and this is from The Hacker News. “In particular, the campaign leverages the trust associated with these domains to circulate spam and malicious phishing emails by the millions each day cunningly using their credibility and stolen resources to slip past security measures.” What security measures are we talking about? Well, Tim, its SPF, right?
Tim CallanRight.Jason SorokoSender Policy Framework.Tim CallanSure.Jason SorokoDomain Keys Identified Mail, right. DKIM, the which we've talked about.Tim CallanAnd DMARC.Jason SorokoAnd DMARC, which if you don't know what those are, we have podcasted about that in the past. These are all ways to prevent email impersonation, if you will, at the domain level. So, Tim, the reason for this is because - -Tim CallanSo what DMARC and this framework allows you to do is you can pick a certain set of senders that are allowed to work on these particular domains but if I can take over that subdomain, I basically can circumvent that whole thing by being a legitimate official domain, right? And, or by becoming a sender that DMARC allows, right? That's the other way that I can do it. So it can be an email that will pass through DMARC that will appear to come from your domain name because I took over the source that DMARC has already said is allowed to be a sender.Jason SorokoExactly, Tim. So let's talk about a bit of a nightmare scenario here. So let's talk about a website. In fact, one of the examples that was given by the Hacker News - - I'm going to use this just because it's as good as any other. You have marthastewart.msn.com and there is a related - - there is a related domain, msnmarthastewartsweets.com. Okay?Tim CallanOkay.Jason SorokoAnd so here's what's interesting. There was a malicious email that was detected coming out of an SMTP server out of Kyiv. It was being flagged as being sent from return underscore UIKVW at marthastewart.msn.com. Now, it bypassed every method of email domain verification that exists. But think about this, Tim. This is what they're trying to say here that both the domains that I quoted previously, were legit and briefly active at some point in 2001. They were left abandoned for 21 years.Tim CallanRight. Sure. And it just sat there.Jason SorokoSo Martha Stewart, msnmarthastewartsweets.com was privately registered in September 2022. And oh, my goodness, the CNAME takeover that's really at the heart of all this, it means that my god people, there's homework to be done here. There is homework to be done. You need to not - - when Tim and I were podcasting about this previously about this public cloud, dangling DSN record against subdomain problem, we didn't even envision that oh, yeah, the trust inheritance from these domains remains active. And so you might have 21 year old domains that were inherited that people are now taking over in order to be able to send emails from and because of that inherited trust of a main domain, oh my goodness, it's getting by a lot of the popular methods of protecting email domain assurance. And that to me is a story in itself.Tim CallanIt is. And another thing that I find is interesting, Jason, is oftentimes white hats, and sort of the security minded purveyors of information of which we’re just a minor example sometimes they're out ahead of the threats, right. So you and I were talking about harvest and decrypt and PQC long before we think that was really going on, by way of example. We think it's going on now, but I don't think it was going on four years ago and we were discussing it then. This one, fascinatingly, has emerged as a part of the dialogue very recently. Like a year ago, nobody was talking about this. Six months ago, nobody was really talking about this. It has emerged very recently as part of the dialogue about what's going on in the world of security and yet, now we are watching this massive attack. That's a real life attack. It's not hypothetical. And so in that way, right, it's different from let's say, BGP attacks, and DCV circumvention, which is definitely identified as a risk, right? You and I have podcasted on that in the past. Identified as a risk and steps are being taken to prevent that from becoming a real thing. And there's no reason to believe that that's happening at any kind of scale today. We just want to make sure it doesn't. In this case, this is happening at scale today, right?Jason SorokoYes.Tim CallanThis is not tomorrow's problem. This is yesterday's and today's problem.Jason SorokoTim, can I attempt to oversimplify how big the problem is?Tim CallanSure.Jason SorokoLet me try. Tim, you and I have both been through computer security training in our enterprise and so has everybody else, right? It's just the thing to do. And one of the things you're taught is, check the domain that an email comes from. It's what you're taught. Part of what you're taught. And guess what? What this means is, and the reason I made the point of this, this affects everyone because your average IT administrator is like well, we've got SPF, we've got DKIM, and we got DMARC, and we got all this other stuff. So that training holds, right?Tim CallanYep.Jason SorokoIt holds. I'm sorry, folks. It kinda almost isn't good enough anymore.Tim CallanAnd I looked at the header, and indeed it came from the real domain name, right. We know we can't trust from addresses, but we can see where it really came from. I looked at it was right. And along the same lines, right, is if I wind up getting plunked on a page somewhere, check the domain of that page and you're go, nope, that's the real thing. Absolutely. And that's what's so treacherous about this is that, you know, and you and I just discussed this in our episode, I think it was 365. Is that right? Yes. 365. And exactly that. The fact is that all of us for our entire adult lives have been trained to look at the domain name. It is second nature. It is something like so basic. If someone doesn't know that you think they must be a baby and now it turns out that that doesn't necessarily do the job. And that's a mind blower and that's a conundrum.Jason SorokoIn order to get back to that comfy state we're living in six months ago a couple things are going to have to happen. Number one, there are vendors right now that will help you to enumerate your problem because we've now figured out how the bad guy is doing this and what you should do is look at your own dangling DNS problem. Just do it. Okay? There are vendors out there, just - - I'm not a salesperson, so I'm not gonna name the names, but there it is. Go find a vendor and look at it. What I think is eventually gonna have to happen, Tim, is the public clouds, and the hosting people who are out there are gonna have to offer some help.
Tim CallanYeah.Jason SorokoTo audit these conditions.Tim CallanRight.Jason SorokoAnd it's gonna be work, but the tooling has to come out first.Tim CallanOr you wonder if there can be some kind of automatic cleanup put in place where you could set an expiration. Like if I'm gonna run a campaign. So like, if you talk about something like marthastewartssweeps, right, that sounds to me like a marketing site that is going to be used for a limited period of time, and then that's going to be done. So you know, could the tooling be in place where I'm going to set a time limit and I'm going to say, expire this after a year, or after six months, or after nine months, just shut it down, and go do it automatically. And do it in a predictable way where there won't be any errors or won't be forgotten. You know, in a lot of ways this feels to me just like, you know, we talked about certificate management all the time, right. The reason that people have these outages is because there's some action that has to be taken and it doesn't get taken. And you got something similar here, like, in a perfect world where everybody cleaned up after themselves, this wouldn't be an issue, but people don't clean up after themselves. But you could start to imagine where tooling would help that. When I set it up, I could say this is going to expire in six months, and then the software could go clean it up for me. Now, that could be an aftermarket platform. That could be something that's just sitting in your public cloud tooling. There's various ways that that could be delivered. But it feels to me like that is a valuable function that we're really almost entirely lacking today.
Jason SorokoIt's almost entirely lacking because I happen to know that there are vendors out there who will help. What you're talking about, which is an automated cleanup is a whole other story.I think that we'll get there. We're gonna have to get there because this is too big of a problem. What I will say, though, my take on what you just said is, it's going to be a hybrid. You're gonna have to have human eyes evaluating and then you can click a button and have things automated quickly. But you know, look public cloud.
Tim CallanWell, and you’ll probably have a mix, right? It'll depend on use case, and it will depend on your level of confidence. Like if I'm running a campaign, and it's going to be done in 90 days, and I know that, then why wouldn't I have something that just automatically blows everything up in six months.Jason SorokoOh, for net new, Tim, for net new, no brainer.Tim CallanSure. Right. But yes, you're right. Like we're talking about something that was established in 2001. Right? So all that old stuff is going to have to get looked at and cleaned up too and you're right, that's going to be tough. But there might be ways that tooling could help with that, right? Maybe you could look at activity. Maybe there would be other markers or qualities you could use to flag things as things that are likely okay to clean up or likely still in production. Like there's ways that you could approach this, I think.Jason SorokoYou know, some of you might be asking, why are you know, Jay and Tim talking about this? Well, I tell you what - -Tim CallanBecause we are interested.Jason SorokoWell, I’ll tell you what, Tim and Jay are – we are purveyors of certificates for these domains.Tim CallanAbsolutely. Right. TLS certificates and domains are yin and yang. They’re inseparable. They completely affect each other. Their lives are intertwined to the point, and you and I've talked about this in the past too, where we consider it fair game to discuss important things in the world of domains and domaining because they directly, they affect certificates and vice versa. And I think this is just a huge story in the world of domains that you and I couldn't ignore.Jason SorokoTim, that's it. And so, folks, this interests everyone. I don't think there's an enterprise in the world today who shouldn't be on this. There's homework here, folks. So, check on it.Tim CallanThere you go. Thank you, Jason. I am certain we're going to return to the story again.Jason SorokoWe will. Guaranteed.Tim CallanThank you very much. This has been Root Causes.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
