The Forrester Wave™: Digital Risk Monitoring, Q3 2016 named RiskIQ a leader in Digital Risk Monitoring, and gave RiskIQ top ranking for Current Offering & Data Coverage.
Download the Report
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Digital Threat Management – Mitigating External Web, Social and Mobile Threats
Learn more about digital defense and security outside the firewall as explained by Scott Gordon, CISSP.
Watch the Video
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
January 13, 2016, William MacArthur
Domain Shadowing, a technique in which attackers steal domain account credentials from their owners for the purpose of creating subdomains directed at malicious servers, has been one of the most common components of attacker infrastructure over the last year—and gaining momentum since 2010.
In this article, we’ll go over the evolution of Domain Name System (DNS) abuse and shine a light on the Domain Shadowing problem. While this topic has been covered by other researchers, much of their information has only touched on specific campaigns or techniques. However, RiskIQ believes that this persistent problem needs to be solved, and without community efforts, it will continue to be an issue. In the coming weeks, we’ll do technical deep dives into Domain Shadowing campaigns and analyze specific indicators that have been observed by RiskIQ.
To understand what Domain Shadowing is, we must go back in time a few years and find out why attackers abuse DNS services.
Initially, many attackers hard coded IP addresses as command and control servers in addition to the initial delivery mechanism. As this technique became common, many savvy sysadmins and security professionals started to block these IPs. It was very obvious what the IPs were used for, and because they were hardcoded, once they were blocked, attackers would often lose the ability to manage the compromised hosts. Attackers (and everyone else started to use DNS to ensure there was a degree of resiliency to their infrastructure and that the hosts could continue to communicate after an IP address changed. This caused a noticeable increase in the effectiveness as well as the effective length of their campaigns.
Around this time, firewalls were the primary security device used to stop attacks, and most of the firewalls available only operated on IP addresses. Attackers soon realized that the quicker they could change IP addresses, the more likely they were to have a successful campaign at this time, web filtering, or layer 7 inspection, was the exception, not the rule. This climate of rapidly changing IP addresses nurtured a perfect storm attackers exploited to get around the blocks and blacklists that were common at the time. As attackers changed the DNS records hundreds or thousands of times per hour, the Fast Flux problem was born.
By and by, more scrutiny was placed on these new attack components and folks had to find new techniques to combat the threat. Web-filtering and security companies started to find common elements they could key off of to identify additional infrastructure—things such as when the domain was registered, who registered it, and contact information associated with it could be used to determine the domain’s relative risk. The community came together and took action against hosting providers and registrars that were complicit in this activity. Suspect domains, nameservers, and even hosting providers were identified, and appropriate actions were taken against the offending services. As the community became more effective at identifying and acting on these threats, the internet seemed to breathe a sigh of relief.
Domain Shadowing can be summed up as compromising existing domains and using their DNS as a piece of attack infrastructure. Often, registrars provide free DNS to domains that are registered through them, and attackers use this DNS, hosted elsewhere, to point to their malicious hosts. Attackers do this by hijacking access to the domain management system and injecting rogue A records alongside the domain holder’s own legitimate resolution records. Using the domains’ good reputation and existing registration history, attackers can easily sneak these malicious DNS records in to get around filtering.
This loophole undermines the effectiveness that many security products use to block these attacks. By destroying the trust of existing domains, it becomes a nearly impossible task to establish reputation based on domain history or previous content.
While the term “Domain Shadowing” may be new (it was coined in 2015), we have been observing this activity for several years. Other researchers have been observing this activity in live attack campaigns as far back as 2010 and our direct observations go back nearly as far.
Not much is known about the exact initial attack vector by which attackers gain access to domain holder accounts, but it’s obvious that the attackers have specific tools and automation in place that help them continually change records. These malicious record sets are created and managed within brief periods of time, with requests originating from disparate sources believed to be proxies. These attackers also leverage other infrastructure that masks the access origin and adds source diversity, which can make it more difficult for the malicious activity to be blocked at the registrar level.
It is also important to bring up a known fact found in the comments in past articles—affected registrars and DNS providers don’t seem to recognize the complete scope and impact of this problem, and don’t know how to respond to it properly. Their response has mostly been to play the “whack-a-mole” game and deal with accounts as they are reported. No signs point to a proactive or organized effort to stop the Domain Shadowing by addressing the underlying cause of large-scale domain hijacking.
This oversight begs a few important questions on the topic.
Answers to these questions are not clear at this time, and relatively few people are talking about the large-scale ramifications of Domain Shadowing.