Dangling DNS records are a target for bad actors, but distinguishing malicious from legitimate changes in resources isn't always easy. The team from ATHENE report on the main findings of their research into the abuse of dangling resources in the cloud.
Accurately operating digital resources is crucial for the security of the Internet. Managing resources requires not only creating and configuring them, but also releasing them correctly after they are no longer required.
However, in practice, when organisations release resources of services that are no longer needed, they often do not purge the infrastructure that was set up for them. In the case of DNS, this can create dangling DNS records.
In this article, we report on our longitudinal research study (between 2020 and 2023) of abuse of such dangling resources: across 12 cloud platforms we identified 20,904 hijacks that hosted malicious content. We detected hijacked domains in 219 Top Level Domains (TLDs) and abuses on popular clouds.
Dangling DNS records
The concept of dangling records is related to dangling pointers in programming, which occur when a variable's memory is deallocated. Similarly, DNS records become dangling when domain owners forget to purge the records. For example: a domain owner does not remove a mapping example.com A 192.0.2.0/24
of service example.com
to a cloud IP address 192.0.2.0/24
from the authoritative DNS server after the resource at 192.0.2.0/24
is discontinued and released.
One problem with this is that adversaries who succeed in re-registering the released resources pointed to by the existing DNS record are then able to launch attacks against clients that attempt to access the domain.
So, in our example, if an adversary can take over 192.0.2.0/24
it can control the content hosted under all DNS names that have records pointing to that IP address, since all requests to example.com
are sent to the adversary.
Taking over dangling DNS records is easy while detecting real-life abuses is hard
To find dangling resources, an adversary has to collect domain names (e.g., via passiveDNS or Certificate Transparency) and check which domain names are hosted on a cloud. The adversary then needs to identify hostnames which are not reachable and re-register them through an account with the cloud provider. All the traffic to the resources that the adversary successfully registered will be sent to the adversary via the now re-activated DNS record. These malicious changes in control over resources are hard to detect.
The fundamental challenge in detecting real-life abuses is detecting malicious vs. legitimate changes in resources. The hijacked resources often do not stand out and even have valid certificates. Approaches that look for changes in the infrastructure or in the content do not work, since changes are often legitimate and happen not only in abused, but also in legitimate resources. In addition, the huge data volumes involved and lack of known indicators make finding abuses equivalent to looking for a needle in a haystack.
Likely due to these kinds of challenges, although research has been carried out into dangling records, we know of no longitudinal studies of real-life abuses of dangling records prior to our own. In our research, we found that the key to finding real-life abuses was a combination of longitudinal data analysis from multiple sources with clustering of changes according to similarities and manual keyword derivation. Applying this approach we derived indicators which enabled detection of real-life hijacks.
There are several new insights that we derived from our study, we briefly explain the main ones below.
IP Address takeovers are not common
One of the insights from our study is that the type of resource is not the main consideration in a hijack, the selection of resources by attackers is financially motivated: attackers target dangling resources which can be easily and cost-effectively taken over. These requirements do not apply to IP addresses on cloud platforms. IP addresses are typically randomly allocated from a large pool, and hence are more expensive to re-activate in a targeted manner.
We found that the attackers target released resources that (1) are cheap and (2) can be directly determined by entering freetext, while avoiding resources that are expensive and require effort to obtain, such as the lottery-based IP assignment from a pool of IP addresses.
How adversaries abuse hijacked dangling records
We found that some actors collect a wide range of diverse domains in a coordinated effort. These are then homogeneously used for the same purpose of referring traffic or manipulating search rankings. The adversaries aim at maximising the number of domains recruited for a campaign. We did not find evidence of targeted takeovers of individual domains; e.g., for political reasons.
The main abuse (75%) of hijacked, dangling resources is to generate traffic to adversarial services. The attackers target domains with established reputation and exploit that reputation to increase the ranking of their malicious content by search engines and as a result to generate page impressions to the content they control. The content is mostly gambling and other adult content. We see a possible explanation in the population size (4th largest in the world) and strict illegality of gambling in Indonesia, leading to a prevalence of online gambling and a need to advertise it through illicit means.
Once they control the content, sources of income are either advertisements displayed directly on the websites hosted on the hijacked domains or referral (click-through) to another site, where they earn a small amount for each page impression, a higher amount for account registration and even more for money spent. Attackers use different techniques to generate traffic (mostly with Blackhat Search Engine Optimisation (SEO)) and increase the click-through rate to the target site that pays for the traffic.
The other categories of abuse included malware distribution, cookie theft and fraudulent certificates. Overall, we find that the hacking groups successfully attacked domains in 31% of the Fortune 500 companies and 25.4% of the Global 500 companies, some over long periods of time. Many of the victim organisations were abused more than once, with one even suffering abuse across more than 100 different subdomains.
We found that a large number of abused domain names are removed within 15 days. At the same time, more than ⅓ of the domains last longer than 65 days, some more than a year. This gives the adversaries time to monetise content by exploiting the reputation of the abused domains. We found that hijacks are performed on groups of domains concurrently. Analysing our dataset we saw an initial period of hijacks in 2020, followed by a period of relative inactivity in early 2021, and finally a ramping up of activity throughout late 2021, 2022 and 2023. The number of concurrently hijacked domains continuously increases during the period of our study, indicating a growing problem.
Recommendations for mitigations
We recommend that cloud platforms either do not allow user-created resource names to be publicly visible (e.g., through DNS records) and/or disallow the re-registration of recently released resource names. We also recommend purging stale DNS records. In addition, cloud platforms should keep track of released resources using our methodology and alert owners of registered domains about changes to the content or sitemap. Since we observe that attackers issue certificates for hijacked domains, we recommend that cloud providers also monitor CT logs for unusual patterns across domains hosted on their platforms to help detect potential large-scale abuse campaigns.
In our research, we focused on resources on cloud platforms, nevertheless our results can be used to identify abuse in other third-party services. For instance, while Content Management Systems (CMS) like Wordpress are not included in our dataset, we expect a large number of hijacks of [freetext].wordpress.com
subdomains, since Wordpress also implements freetext subdomain registration for its blogs.
This article is based on a research paper that was accepted for a publication at the 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI). “Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms”, Jens Frieß, Tobias Gattermayer, Nethanel Gelernter, Haya Schulmann and Michael Waidner
Comments 0