[New research] Subdomain takeovers are on the rise and are getting harder to monitor

Detectify research shows that Subdomain takeovers are on the rise as it detected 25% more vulnerabilities in its customers’ assets in 2021 compared to 2020.

BOSTON/STOCKHOLM, March 22, 2022. New research from Detectify, the SaaS security company powered by ethical hackers, found that Subdomain takeovers are on the rise but are also getting harder to monitor as domains now seem to have more vulnerabilities in them. In 2021, Detectify detected 25% more vulnerabilities in its customers’ web assets compared to 2020 with twice the median number of vulnerabilities per domain, demonstrating the outsized impact an External Attack Surface Monitoring (EASM) tool can have on an organization’s cybersecurity programme.

The modern infrastructure is controlled by the DNS with pointers to both internal and third-party services. As a result, organizations are simultaneously expanding their attack surface and inviting potential cyber threats. Unknown subdomains can be challenging, as they are not always closely monitored. When the service which points to the subdomain expires or is forgotten, they become a potential foothold or entry point for attackers to steal sensitive company information or launch phishing campaigns. 

Over the past year, we have narrowed in on a recent trend – as attack surfaces grow, so do subdomain takeovers. Domain takeovers grew 20% faster with the increase in attack surfaces. Our research found that of the number of scanned apex and subdomains from 2020 to 2021, vulnerabilities increased as much as 25%.  

Key Findings

Subdomain takeovers and vulnerabilities per domains on the rise

Detectify has been monitoring subdomain takeovers among our customers year-over-year to detect patterns and ensure we are providing the proper mitigation support needed. Over the past year, a 20% increase was seen in domain takeovers. Out of the assets scanned – which includes apex domains and subdomains – 25% more vulnerabilities were seen in 2021 than in 2020. In addition, the median number of vulnerabilities per domain has increased 100% since 2020. The research shows that not only are more domains vulnerable to subdomain takeovers, but above all, apex domains typically contain more vulnerable subdomains now than in the past. 

Background: What are subdomains and why are they important? 

Subdomains are an additional part of a larger domain under the Domain Name System (DNS) structure. For instance, blog.acme.com and helpdesk.acme.com are subdomains where acme.com is an apex domain. Subdomain takeovers occur when an agent gains control over a subdomain of a target domain. This can happen when the subdomain has a canonical name in the DNS, but no host is providing content for it, which can happen because either a virtual host hasn’t been published yet or a virtual host has been removed. 

Subdomain takeover can also be done by DNS hijacking where the attacker compromises the target’s name server records. Attackers can exploit DNS misconfigurations to hijack subdomains that are considered as trusted by the target website. While this method is less common, the severity is typically a lot higher in the latter case. 

Subdomain takeover was pioneered by ethical hacker Frans Rosén, and popularized by Detectify in a blogpost back in 2014; however, it remains to be an overlooked and widespread vulnerability. 

Mitigation

While it continues to remain an underestimated and widespread vulnerability, the rise of cloud solutions certainly has further escalated the increase in subdomain takeovers. Attackers continue to up their game and use more sophisticated methods to infiltrate a company, and without a proper monitoring system, it is harder to monitor them. The only way is to keep an inventory of all subdomains created and deploy an external attack surface management tool to continuously scan and monitor them for any potential bugs. Rickard Carlsson, Co-founder & CEO of Detectify further explained: 

“With attack surfaces growing and the DNS becoming the heart of the infrastructure, we will likely see Subdomain Takeover vulnerabilities increasing. Subdomain takeover attacks have gotten way more complex since the concept was first introduced by security researchers back in 2014. Our data suggests they’re harder to keep control of as they have started appearing in more advanced software services.”

Detectify’s role 

It’s no secret that keeping a track of your subdomains and new public vulnerabilities is a herculean task. Attackers have eyes all over the web and always look where others aren’t looking. Detectify Surface Monitoring leverages the Crowdsource community of over 400 handpicked ethical hackers, monitors your subdomain inventory, and dispatches alerts as soon as an asset is vulnerable to a potential takeover. The tool constantly monitors targets for changes and continuously scans every subdomain.

EASM tools can help prioritize this task by notifying of the presence of actually exploitable vulnerabilities. It identifies subdomains that have been misconfigured or unauthorized, so you can find and fix them before a subdomain takeover happens. 

Varsha Saraogi
Communications & PR
+46737160451
varsha.saraogi@detectify.com

About Detectify

Detectify continuously scans your web-facing attack surface for security vulnerabilities and alerts you about them so you can stay on top of threats in the cloud. We believe that world-class cybersecurity knowledge should be accessible to everyone. Powered by a community of handpicked ethical hackers, Detectify automates real attack methods and brings it into the hands of security teams and developers. Get complete coverage of your external attack surface with fewer clicks with Detectify. Go hack yourself. Visit us at detectify.com to learn more.