Threat Watch

Domain Shadowing Becoming More Popular Among Cybercriminals

Researchers at Unit 42, Palo Alto’s threat intelligence team, have found threat actors increasingly using a technique known as domain shadowing to facilitate the hosting of malicious web pages. Between April and June of this year, around 12,197 cases of domain shadowing were discovered, detailing a marked uptick in this technique being used.

Domain shadowing is a type of DNS hijacking that occurs when threat actors compromise the DNS of a legitimate domain and make their own subdomains to use for malicious activity. The threat actors do not modify the legitimate DNS entries that already exist, however, instead opting to utilize the domain in such a way that won’t alert the owners to the compromise. Threat actors use these malicious subdomains to host C2 addresses, phishing sites, and malware-dropping sites. Since the root domain of these requests are legitimate sources, this allows threat actors to bypass security checks by abusing the good reputation of the hijacked domain. Likewise, since the domain is otherwise reputable, users are more likely to access or submit data to one of these hijacked domains, as the URL appears trustworthy.

Domain shadowing can be difficult to detect without the ability to analyze DNS logs across a large number of organizations, making this tactic alluring for threat actors.

ANALYST NOTES

While detecting domain shadowing can be difficult, there are steps that organizations can take to help prevent their domain from being hijacked. For DNS administrators, it is highly recommended to regularly check the state of DNS records for an organization and verify that no unknown or malicious subdomains have been created. If a DNS service provider is used that allows for notification alerts for newly created subdomain records, it is recommended to enable those alerts and have them checked regularly. This can help alert administrators to a potential DNS compromise early, allowing the organization to take down the malicious records and rotate credentials. This not only helps prevent unsuspecting victims from also being compromised by the threat actors but can help save the reputation of the organization’s domain as well. As more malicious activity is performed within a domain, the more likely it is for security tools to start marking that domain as malicious, potentially preventing normal users from accessing the organization’s legitimate website. For end users, it is also recommended to be wary of any webpage or URL being accessed, regardless of if the root domain is a trusted one or not. This is particularly true in the case of credential harvesting pages; if, for example, a Microsoft O365 login page is presented when visiting a non-Microsoft webpage, that page should be considered suspicious, and credentials should not be provided to it. While the domain is legitimate and reputable in this case, the content being hosted on it is abnormal and should be scrutinized further.

https://www.bleepingcomputer.com/news/security/domain-shadowing-becoming-more-popular-among-cybercriminals/