Domain Shadowing, a technique in which attackers steal domain account credentials from their owners for the purpose of creating subdomains directed at malicious servers, has been one of the most common components of attacker infrastructure over the last year—and gaining momentum since 2010.
In this article, we’ll go over the evolution of Domain Name System (DNS) abuse and shine a light on the Domain Shadowing problem. While this topic has been covered by other researchers, much of their information has only touched on specific campaigns or techniques. However, RiskIQ believes that this persistent problem needs to be solved, and without community efforts, it will continue to be an issue. In the coming weeks, we’ll do technical deep dives into Domain Shadowing campaigns and analyze specific indicators that have been observed by RiskIQ.
A brief history of DNS being used for attacker infrastructure
To understand what Domain Shadowing is, we must go back in time a few years and find out why attackers abuse DNS services.
Initially, many attackers hard coded IP addresses as command and control servers in addition to the initial delivery mechanism. As this technique became common, many savvy sysadmins and security professionals started to block these IPs. It was very obvious what the IPs were used for, and because they were hardcoded, once they were blocked, attackers would often lose the ability to manage the compromised hosts. Attackers (and everyone else started to use DNS to ensure there was a degree of resiliency to their infrastructure and that the hosts could continue to communicate after an IP address changed. This caused a noticeable increase in the effectiveness as well as the effective length of their campaigns.
Around this time, firewalls were the primary security device used to stop attacks, and most of the firewalls available only operated on IP addresses. Attackers soon realized that the quicker they could change IP addresses, the more likely they were to have a successful campaign at this time, web filtering, or layer 7 inspection, was the exception, not the rule. This climate of rapidly changing IP addresses nurtured a perfect storm attackers exploited to get around the blocks and blacklists that were common at the time. As attackers changed the DNS records hundreds or thousands of times per hour, the Fast Flux problem was born.
By and by, more scrutiny was placed on these new attack components and folks had to find new techniques to combat the cyber threat. Web-filtering and security companies started to find common elements they could key off of to identify additional infrastructure—things such as when the domain was registered, who registered it, and contact information associated with it could be used to determine the domain’s relative risk. The community came together and took action against hosting providers and registrars that were complicit in this activity. Suspect domains, nameservers, and even hosting providers were identified, and appropriate actions were taken against the offending services. As the community became more effective at identifying and acting on these cyber threats, the internet seemed to breathe a sigh of relief.
So what exactly is Domain Shadowing?
Domain Shadowing can be summed up as compromising existing domains and using their DNS as a piece of attack infrastructure. Often, registrars provide free DNS to domains that are registered through them, and attackers use this DNS, hosted elsewhere, to point to their malicious hosts. Attackers do this by hijacking access to the domain management system and injecting rogue A records alongside the domain holder’s own legitimate resolution records. Using the domains’ good reputation and existing registration history, attackers can easily sneak these malicious DNS records in to get around filtering.
This loophole undermines the effectiveness that many security products use to block these attacks. By destroying the trust of existing domains, it becomes a nearly impossible task to establish reputation based on domain history or previous content.
While the term “Domain Shadowing” may be new (it was coined in 2015), we have been observing this activity for several years. Other researchers have been observing this activity in live attack campaigns as far back as 2010 and our direct observations go back nearly as far.
How is this happening?
Not much is known about the exact initial attack vector by which attackers gain access to domain holder accounts, but it’s obvious that the attackers have specific tools and automation in place that help them continually change records. These malicious record sets are created and managed within brief periods of time, with requests originating from disparate sources believed to be proxies. These attackers also leverage other infrastructure that masks the access origin and adds source diversity, which can make it more difficult for the malicious activity to be blocked at the registrar level.
It is also important to bring up a known fact found in the comments in past articles—affected registrars and DNS providers don’t seem to recognize the complete scope and impact of this problem, and don’t know how to respond to it properly. Their response has mostly been to play the "whack-a-mole" game and deal with accounts as they are reported. No signs point to a proactive or organized effort to stop the Domain Shadowing by addressing the underlying cause of large-scale domain hijacking.
This oversight begs a few important questions on the topic.
- How do criminal actors gain access to such a large set of victim domain accounts explicitly and exclusively abused for the purpose of DNS record injection?
- Have some large registrars or DNS providers been compromised?
- Have the accounts been targeted with info-stealing trojans and sold on the underground?
- Who is sourcing these accounts into the market, and are they a source of the account data?
- Are they currently subjects of research or law enforcement interest?
- Is their illicit activity even sufficiently understood relative to many other popular criminal enterprises such as botnet operators, malware distribution, etc.?
Answers to these questions are not clear at this time, and relatively few people are talking about the large-scale ramifications of Domain Shadowing.