Deep Dive into Keytos: Unveiling the Expedient Discovery of 15,000 Vulnerable Azure Subdomains via Cryptographic Certificates

Vulnerability of Subdomain Takeover in Microsoft Azure Poses Significant Threat

The Issue

Researchers at Keytos have recently discovered a vulnerability in Microsoft Azure that presents a significant threat to organizations. This vulnerability, known as subdomain takeover, allows cybercriminals to impersonate organizations, launch attacks, and display spam content through legitimate sites. This exploit occurs when a domain is left open after deleting an Azure website, providing cybercriminals with a backdoor to create fraudulent sites. These sites appear legitimate since they are hosted on forgotten domains, putting users at risk of credential theft through simple deception.

Alarming Statistics

Keytos‘ researchers have found that approximately 15,000 vulnerable subdomains are discovered each month using cryptographic certificates. Despite their continuous attempts to contact and notify over 1,000 organizations about their domain issues, only 2% have taken action to address the problem. What is even more concerning is that these vulnerable domains include many high-profile organizations, including 85% of Fortune 500 companies utilizing Microsoft Azure. It is a matter of urgency for organizations to prioritize security and take proactive measures to mitigate this threat.

The Implications

The consequences of subdomain takeover are severe and wide-ranging. First and foremost, the theft of login credentials poses a significant risk to users. Cybercriminals can use these stolen credentials for malicious purposes, including identity theft and financial fraud. Additionally, subdomain takeover allows for the dissemination of false information, potentially damaging an organization’s reputation and causing confusion among stakeholders. Furthermore, cybercriminals can distribute malware through these fraudulent sites, putting users’ devices and data at great risk.

The Responsibility of Organizations

It is essential for organizations to recognize the seriousness of subdomain takeover and take immediate action to address this vulnerability. Keytos has developed an automated tool called EZMonitor, which scans and identifies vulnerable subdomains using certificate transparency logs and checking the availability of Azure-hosted websites. The tool has already identified over 30,000 vulnerable domains in its first month of operation, highlighting the magnitude of the issue.

Recommended Measures

Organizations can take several proactive measures to protect themselves from subdomain takeover. Implementing certificate transparency monitoring allows them to identify potential vulnerabilities and take appropriate action swiftly. Removing dangling DNS entries, which are often the result of incorrect or incomplete configuration, is crucial to closing the backdoor cybercriminals exploit. Furthermore, organizations should utilize Certificate Authority Authorization (CAA) records to control which certificate authorities can issue certificates for their domains.

Editorial: Urgent Action Needed to Safeguard Domains and Users

The vulnerability of subdomain takeover in Microsoft Azure is a critical issue that demands immediate attention. The fact that major organizations, including Fortune 500 companies, are not taking this threat seriously is deeply concerning. Ignoring warnings or only addressing the surface issue without tackling the underlying vulnerability puts domains and users at great risk. The potential consequences, such as credential theft and the dissemination of false information, have far-reaching impacts.

Microsoft’s attempts to address the issue with solutions like Defender for App Service Dangling DNS detection have fallen short, leaving many organizations vulnerable. It is time for Microsoft and other hosting services to prioritize the security of their platforms and develop more effective solutions to mitigate subdomain takeover.

Users must also play a role in encouraging their organizations to take the threat seriously. By raising awareness of the risks associated with subdomain takeover and advocating for proactive security measures, individuals can contribute to protecting their own data and that of the organizations they are associated with.

Advice: Protecting Your Organization and Yourself

If you are a site owner or part of an organization utilizing Microsoft Azure or any other hosting service, it is crucial to take immediate action to protect against subdomain takeover.

Firstly, consider implementing certificate transparency monitoring to identify potential vulnerabilities. Regularly check and audit your subdomains to ensure they are properly configured and remove any dangling DNS entries promptly.

Furthermore, it is recommended to utilize Certificate Authority Authorization (CAA) records to control the issuance of certificates for your domains. By specifying which certificate authorities are allowed to issue certificates for your organization, you reduce the risk of unauthorized or fraudulent certificates being used on your subdomains.

Finally, stay informed about the latest security measures and updates provided by your hosting service. Regularly update and patch your systems and communicate the importance of cybersecurity to your organization’s stakeholders.

The vulnerability of subdomain takeover is a clear reminder of the ongoing threat landscape that organizations and users face in the digital age. It is crucial to prioritize and invest in robust cybersecurity measures to safeguard against such risks.