Back from the Dead: Harvesting Domain Names for Profit

The cloud is no longer seen as the next fad in a sea of technological innovation. The ability to deliver rapid results at a global scale is leading organizations to migrate their tech stacks to this shared tenancy model. While the advantages of cloud-based computing are undeniable, the architecture introduces vulnerabilities that may not have been present in a traditional data center. This talk will specifically focus on the pitfalls of mismanaged DNS in a shared infrastructure environment.

The term subdomain takeover is not a new one. Many bug hunters have earned substantial bounties by detecting and reporting on these vulnerabilities. The most commonly known exploitation method attempts to identify valid subdomains by launching brute force attacks at targeted organizations. The uncovered DNS entries are then passed to web scrapers that look for unclaimed content on third-party hosting sites. Until now, this method of exploitation has been a noisy, resource-intensive, process that draws attention to the attacker.

This talk will outline a new method of subdomain takeover that occurs lower down on the network stack. Leveraging the constraint of a shared IP pool in cloud environments, we will explore a capability that allows stale DNS entries to be harvested opportunistically. The attack strategy, impact of exploitation and mitigation techniques will be discussed in detail.