H3-2021-0002

Subdomain Takeover

Description

The DNS record for a subdomain has a CNAME record that points to another subdomain that is no longer provisioned or in use. An attacker can exploit this by discovering this "dangling" subdomain and then provisioning a new resource with the same Fully Qualified Domain Name (FQDN). By doing this, the attacker can take control of the subdomain and use it for malicious purposes.

Impact

By exploiting this misconfiguration, an attacker can gain control over the affected subdomain, allowing them to execute phishing campaigns, steal user cookies and credentials, or host malicious content that appears to be from your legitimate domain, potentially causing trust and reputational damage to your organization.

References

• Subdomain Takeovers: Thoughts on Risk
• Prevent Dangling DNS Entries and Avoid Subdomain Takeover
• MITRE ATT&CK Technique: T1584.001: Compromise Infrastructure: Domains