New research from Detectify, the SaaS security company powered by ethical hackers, found that Subdomain takeovers are on the rise but are also getting harder to monitor as domains now seem to have more vulnerabilities in them. In 2021, Detectify detected 25% more vulnerabilities in its customers’ web assets compared to 2020 with twice the median number of vulnerabilities per domain, demonstrating the outsized impact an External Attack Surface Monitoring (EASM) tool can have on an organization’s cybersecurity programme.
The modern infrastructure is controlled by the DNS with pointers to both internal and third-party services. As a result, organizations are simultaneously expanding their attack surface and inviting potential cyber threats. Unknown subdomains can be challenging, as they are not always closely monitored. When the service which points to the subdomain expires or is forgotten, they become a potential foothold or entry point for attackers to steal sensitive company information or launch phishing campaigns. Over the past year, we have narrowed in on a recent trend – as attack surfaces grow, so do subdomain takeovers. Domain takeovers grew 20% faster with the increase in attack surfaces. Our research found that of the number of scanned apex and subdomains from 2020 to 2021, vulnerabilities increased as much as 25%.
Key Findings
Subdomain takeovers and vulnerabilities per domains on the rise
Detectify has been monitoring subdomain takeovers among our customers year-over-year to detect patterns and ensure we are providing the proper mitigation support needed. Over the past year, a 20% increase was seen in domain takeovers. Out of the assets scanned – which includes apex domains and subdomains – 25% more vulnerabilities were seen in 2021 than in 2020. In addition, the median number of vulnerabilities per domain has increased 100% since 2020. The research shows that not only are more domains vulnerable to subdomain takeovers, but above all, apex domains typically contain more vulnerable subdomains now than in the past.
Detectify has been monitoring subdomain takeovers among our customers year-over-year to detect patterns and ensure we are providing the proper mitigation support needed. Over the past year, a 20% increase was seen in domain takeovers. Out of the assets scanned – which includes apex domains and subdomains – 25% more vulnerabilities were seen in 2021 than in 2020. In addition, the median number of vulnerabilities per domain has increased 100% since 2020. The research shows that not only are more domains vulnerable to subdomain takeovers, but above all, apex domains typically contain more vulnerable subdomains now than in the past.
Background: What are subdomains and why are they important?
Subdomains are an additional part of a larger domain under the Domain Name System (DNS) structure. For instance, blog.acme.com and helpdesk.acme.com are subdomains where acme.com is an apex domain. Subdomain takeovers occur when an agent gains control over a subdomain of a target domain. This can happen when the subdomain has a canonical name in the DNS, but no host is providing content for it, which can happen because either a virtual host hasn’t been published yet or a virtual host has been removed.
Subdomain takeover can also be done by DNS hijacking where the attacker compromises the target’s name server records. Attackers can exploit DNS misconfigurations to hijack subdomains that are considered as trusted by the target website. While this method is less common, the severity is typically a lot higher in the latter case. Subdomain takeover was pioneered by ethical hacker Frans Rosén, and popularized by Detectify in a blogpost back in 2014; however, it remains to be an overlooked and widespread vulnerability.
Subdomains are an additional part of a larger domain under the Domain Name System (DNS) structure. For instance, blog.acme.com and helpdesk.acme.com are subdomains where acme.com is an apex domain. Subdomain takeovers occur when an agent gains control over a subdomain of a target domain. This can happen when the subdomain has a canonical name in the DNS, but no host is providing content for it, which can happen because either a virtual host hasn’t been published yet or a virtual host has been removed.
Subdomain takeover can also be done by DNS hijacking where the attacker compromises the target’s name server records. Attackers can exploit DNS misconfigurations to hijack subdomains that are considered as trusted by the target website. While this method is less common, the severity is typically a lot higher in the latter case. Subdomain takeover was pioneered by ethical hacker Frans Rosén, and popularized by Detectify in a blogpost back in 2014; however, it remains to be an overlooked and widespread vulnerability.
Mitigation
While it continues to remain an underestimated and widespread vulnerability, the rise of cloud solutions certainly has further escalated the increase in subdomain takeovers. Attackers continue to up their game and use more sophisticated methods to infiltrate a company, and without a proper monitoring system, it is harder to monitor them. The only way is to keep an inventory of all subdomains created and deploy an external attack surface management tool to continuously scan and monitor them for any potential bugs.
Rickard Carlsson, Co-founder & CEO of Detectify further explained: “With attack surfaces growing and the DNS becoming the heart of the infrastructure, we will likely see Subdomain Takeover vulnerabilities increasing. Subdomain takeover attacks have gotten way more complex since the concept was first introduced by security researchers back in 2014. Our data suggests they’re harder to keep control of as they have started appearing in more advanced software services.”
Rickard Carlsson, Co-founder & CEO of Detectify further explained: “With attack surfaces growing and the DNS becoming the heart of the infrastructure, we will likely see Subdomain Takeover vulnerabilities increasing. Subdomain takeover attacks have gotten way more complex since the concept was first introduced by security researchers back in 2014. Our data suggests they’re harder to keep control of as they have started appearing in more advanced software services.”
Detectify’s role
It’s no secret that keeping a track of your subdomains and new public vulnerabilities is a herculean task. Attackers have eyes all over the web and always look where others aren’t looking. Detectify Surface Monitoring leverages the Crowdsource community of over 400 handpicked ethical hackers, monitors your subdomain inventory, and dispatches alerts as soon as an asset is vulnerable to a potential takeover. The tool constantly monitors targets for changes and continuously scans every subdomain.EASM tools can help prioritize this task by notifying of the presence of actually exploitable vulnerabilities. It identifies subdomains that have been misconfigured or unauthorized, so you can find and fix them before a subdomain takeover happens.
About Detectify
Detectify sets the standard for External Attack Surface Management (EASM), providing 99.7% accurate vulnerability assessments. ProdSec and AppSec teams trust Detectify to expose exactly how attackers will exploit their Internet-facing applications. The Detectify platform automates continuous real-world, payload-based attacks crowdsourced through its global community of elite ethical hackers, exposing critical weaknesses before it’s too late. Go hack yourself: detectify.com
