Podcast Mar 29, 2024

Root Causes 373: Massive Brand Hijack Subverts More Than 21,000 Domains and Subdomains

A massive name space attack has hijacked more than 21,000 domains and subdomains, including a who's who list of major global brands. This huge and innovative attack takes advantage of inherited trust in abandoned domains. We explain what is happening.

Original Broadcast Date: March 29, 2024

Tim Callan · Root Causes 373: Massive Brand Hijack Subverts More Than 21,000 Domains and Subdomains

Episode Transcript

Lightly edited for flow and brevity.

Tim Callan

Okay, so this is a news item that is all over the news. You can read about it in pretty much any place that covers computer press so I'm not going to point you at a specific article. But there recently has been information released by a company called Guardio Labs. They talk about a massive domain hijacking attack that involves more than 8000 domain names and more than 13,000 subdomains, and this is an attack called ResurrecADS. R-e-s-u-r-r-e-c-A-D-S. So Jason, what's going on here?
Jason Soroko

We had podcasted on this previously, the idea of this.
Tim Callan

Yeah.
Jason Soroko

Right? Which is the idea that - orphaned subdomains was our topic. Orphaned subdomains that were hosted in the cloud might have IP addresses that are no longer associated with those subdomains, or they are and the subdomains are no longer being used by the customer of the public cloud service. And so therefore, bad guys are now trying to enumerate this and figuring out oh, geez, there's a whole bunch of subdomains that are ready to go that I can start imprinting with - - all I got to do is take that IP address, and away I go.

So Tim, there's an expansion to the story. And by the way, let’s start quoting the numbers here of the numbers of domains and subdomains being affected here, right. 8000s domains and 13,000 subdomains and I bet you, Tim, that's just the beginning, to be honest.
Tim Callan

Sure. And they rattle off a bunch. I mean, it's a bunch of huge brands. Here's a list I have in front of me, the ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, Price Waterhouse Coopers, Swatch, Symantec, The Economist, UNICEF and VMware. And that's just some of them.
Jason Soroko

Yeah. I bet you it's - - let's just be honest. It's probably almost everyone.
Tim Callan

Yeah. With that number, it has to be.
Jason Soroko

Yeah. So Tim, here's what we didn't talk about in the last podcast and what I want to, here's what the story is adding to what we talked about previously. It's this.

So, the bad guys have figured out one step further. It's not just hey, I'm gonna set up a subdomain against the economist, and therefore I'm going to set up a phishing attack let’s say. It goes beyond that because now these attackers have figured out that there is a lot of trust inheritance between domains and subdomains, Tim. In fact, let me quote directly from one of the articles I'm reading here, that says – and this is from The Hacker News. “In particular, the campaign leverages the trust associated with these domains to circulate spam and malicious phishing emails by the millions each day cunningly using their credibility and stolen resources to slip past security measures.” What security measures are we talking about? Well, Tim, its SPF, right?
Tim Callan

Right.
Jason Soroko

Sender Policy Framework.
Tim Callan

Sure.
Jason Soroko

Domain Keys Identified Mail, right. DKIM, the which we've talked about.
Tim Callan

And DMARC.
Jason Soroko

And DMARC, which if you don't know what those are, we have podcasted about that in the past. These are all ways to prevent email impersonation, if you will, at the domain level. So, Tim, the reason for this is because - -
Tim Callan

So what DMARC and this framework allows you to do is you can pick a certain set of senders that are allowed to work on these particular domains but if I can take over that subdomain, I basically can circumvent that whole thing by being a legitimate official domain, right? And, or by becoming a sender that DMARC allows, right? That's the other way that I can do it. So it can be an email that will pass through DMARC that will appear to come from your domain name because I took over the source that DMARC has already said is allowed to be a sender.
Jason Soroko

Exactly, Tim. So let's talk about a bit of a nightmare scenario here. So let's talk about a website. In fact, one of the examples that was given by the Hacker News - - I'm going to use this just because it's as good as any other. You have marthastewart.msn.com and there is a related - - there is a related domain, msnmarthastewartsweets.com. Okay?
Tim Callan

Okay.
Jason Soroko

And so here's what's interesting. There was a malicious email that was detected coming out of an SMTP server out of Kyiv. It was being flagged as being sent from return underscore UIKVW at marthastewart.msn.com. Now, it bypassed every method of email domain verification that exists. But think about this, Tim. This is what they're trying to say here that both the domains that I quoted previously, were legit and briefly active at some point in 2001. They were left abandoned for 21 years.
Tim Callan

Right. Sure. And it just sat there.
Jason Soroko

So Martha Stewart, msnmarthastewartsweets.com was privately registered in September 2022. And oh, my goodness, the CNAME takeover that's really at the heart of all this, it means that my god people, there's homework to be done here. There is homework to be done. You need to not - - when Tim and I were podcasting about this previously about this public cloud, dangling DSN record against subdomain problem, we didn't even envision that oh, yeah, the trust inheritance from these domains remains active. And so you might have 21 year old domains that were inherited that people are now taking over in order to be able to send emails from and because of that inherited trust of a main domain, oh my goodness, it's getting by a lot of the popular methods of protecting email domain assurance. And that to me is a story in itself.
Tim Callan

It is. And another thing that I find is interesting, Jason, is oftentimes white hats, and sort of the security minded purveyors of information of which we’re just a minor example sometimes they're out ahead of the threats, right. So you and I were talking about harvest and decrypt and PQC long before we think that was really going on, by way of example. We think it's going on now, but I don't think it was going on four years ago and we were discussing it then. This one, fascinatingly, has emerged as a part of the dialogue very recently. Like a year ago, nobody was talking about this. Six months ago, nobody was really talking about this. It has emerged very recently as part of the dialogue about what's going on in the world of security and yet, now we are watching this massive attack. That's a real life attack. It's not hypothetical. And so in that way, right, it's different from let's say, BGP attacks, and DCV circumvention, which is definitely identified as a risk, right? You and I have podcasted on that in the past. Identified as a risk and steps are being taken to prevent that from becoming a real thing. And there's no reason to believe that that's happening at any kind of scale today. We just want to make sure it doesn't. In this case, this is happening at scale today, right?
Jason Soroko

Yes.
Tim Callan

This is not tomorrow's problem. This is yesterday's and today's problem.
Jason Soroko

Tim, can I attempt to oversimplify how big the problem is?
Tim Callan

Sure.
Jason Soroko

Let me try. Tim, you and I have both been through computer security training in our enterprise and so has everybody else, right? It's just the thing to do. And one of the things you're taught is, check the domain that an email comes from. It's what you're taught. Part of what you're taught. And guess what? What this means is, and the reason I made the point of this, this affects everyone because your average IT administrator is like well, we've got SPF, we've got DKIM, and we got DMARC, and we got all this other stuff. So that training holds, right?
Tim Callan

Yep.
Jason Soroko

It holds. I'm sorry, folks. It kinda almost isn't good enough anymore.
Tim Callan

And I looked at the header, and indeed it came from the real domain name, right. We know we can't trust from addresses, but we can see where it really came from. I looked at it was right. And along the same lines, right, is if I wind up getting plunked on a page somewhere, check the domain of that page and you're go, nope, that's the real thing. Absolutely. And that's what's so treacherous about this is that, you know, and you and I just discussed this in our episode, I think it was 365. Is that right? Yes. 365. And exactly that. The fact is that all of us for our entire adult lives have been trained to look at the domain name. It is second nature. It is something like so basic. If someone doesn't know that you think they must be a baby and now it turns out that that doesn't necessarily do the job. And that's a mind blower and that's a conundrum.
Jason Soroko

In order to get back to that comfy state we're living in six months ago a couple things are going to have to happen.

Number one, there are vendors right now that will help you to enumerate your problem because we've now figured out how the bad guy is doing this and what you should do is look at your own dangling DNS problem. Just do it. Okay? There are vendors out there, just - - I'm not a salesperson, so I'm not gonna name the names, but there it is. Go find a vendor and look at it. What I think is eventually gonna have to happen, Tim, is the public clouds, and the hosting people who are out there are gonna have to offer some help.
Tim Callan

Yeah.
Jason Soroko

To audit these conditions.
Tim Callan

Right.
Jason Soroko

And it's gonna be work, but the tooling has to come out first.
Tim Callan

Or you wonder if there can be some kind of automatic cleanup put in place where you could set an expiration. Like if I'm gonna run a campaign. So like, if you talk about something like marthastewartssweeps, right, that sounds to me like a marketing site that is going to be used for a limited period of time, and then that's going to be done. So you know, could the tooling be in place where I'm going to set a time limit and I'm going to say, expire this after a year, or after six months, or after nine months, just shut it down, and go do it automatically. And do it in a predictable way where there won't be any errors or won't be forgotten.

You know, in a lot of ways this feels to me just like, you know, we talked about certificate management all the time, right. The reason that people have these outages is because there's some action that has to be taken and it doesn't get taken. And you got something similar here, like, in a perfect world where everybody cleaned up after themselves, this wouldn't be an issue, but people don't clean up after themselves. But you could start to imagine where tooling would help that. When I set it up, I could say this is going to expire in six months, and then the software could go clean it up for me. Now, that could be an aftermarket platform. That could be something that's just sitting in your public cloud tooling. There's various ways that that could be delivered. But it feels to me like that is a valuable function that we're really almost entirely lacking today.
Jason Soroko

It's almost entirely lacking because I happen to know that there are vendors out there who will help. What you're talking about, which is an automated cleanup is a whole other story.

I think that we'll get there. We're gonna have to get there because this is too big of a problem. What I will say, though, my take on what you just said is, it's going to be a hybrid. You're gonna have to have human eyes evaluating and then you can click a button and have things automated quickly. But you know, look public cloud.
Tim Callan

Well, and you’ll probably have a mix, right? It'll depend on use case, and it will depend on your level of confidence. Like if I'm running a campaign, and it's going to be done in 90 days, and I know that, then why wouldn't I have something that just automatically blows everything up in six months.
Jason Soroko

Oh, for net new, Tim, for net new, no brainer.
Tim Callan

Sure. Right. But yes, you're right. Like we're talking about something that was established in 2001. Right? So all that old stuff is going to have to get looked at and cleaned up too and you're right, that's going to be tough. But there might be ways that tooling could help with that, right? Maybe you could look at activity. Maybe there would be other markers or qualities you could use to flag things as things that are likely okay to clean up or likely still in production. Like there's ways that you could approach this, I think.
Jason Soroko

You know, some of you might be asking, why are you know, Jay and Tim talking about this? Well, I tell you what - -
Tim Callan

Because we are interested.
Jason Soroko

Well, I’ll tell you what, Tim and Jay are – we are purveyors of certificates for these domains.
Tim Callan

Absolutely. Right. TLS certificates and domains are yin and yang. They’re inseparable. They completely affect each other. Their lives are intertwined to the point, and you and I've talked about this in the past too, where we consider it fair game to discuss important things in the world of domains and domaining because they directly, they affect certificates and vice versa. And I think this is just a huge story in the world of domains that you and I couldn't ignore.
Jason Soroko

Tim, that's it. And so, folks, this interests everyone. I don't think there's an enterprise in the world today who shouldn't be on this. There's homework here, folks. So, check on it.
Tim Callan

There you go. Thank you, Jason. I am certain we're going to return to the story again.
Jason Soroko

We will. Guaranteed.
Tim Callan

Thank you very much. This has been Root Causes.

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All Root Causes