Large Takeover of Corporate Subdomains Occurred During Same Period as SolarWinds Hack
In March of 2020, researchers from the cybersecurity service Vulnerability.com published a blog post listing Microsoft subdomains that they had taken over as a way to prevent their takeover by malicious actors. The subdomains, over 670 in total, included various permutations of microsoft.com, skype.com, and windows.com.
In July, an independent researcher, Zach Edwards, compiled a separate list of compromised subdomains belonging a wide variety of companies, from Pandora and Chevron to Mercedes Benz and various universities in response to a bounty offered by a videogame company, Epic Games, for evidence of subversive activity against the company.
Allowing an anonymous actor control of a company's subdomain would open up a wide variety of severe risks. They could impersonate the original domain in myriad ways, receive any privileged traffic meant for those sites, as well as cross-site scripting attacks.
Around the same time these compromised subdomains were discovered is when the cybersecurity company FireEye estimated that the SolarWinds software was compromised—around March of 2020. Which would mean anything corrupted by the SolarWinds hack or other malicious software would have a compromised domain of a trusted URL to communicate with.
In the case of the SolarWinds, compromised server administration software was deployed to thousands of companies. The compromise was said to have given a user unlimited access to server resources and the potential to export sensitive information to an outside server—avsvmcloud.com. Microsoft has since announced that they have taken over the domain in question.
If subdomains of Microsoft.com were compromised at the time, it would have enabled sensitive material to be exported from systems compromised by the SolarWinds attack where traffic is heavily monitored or limited to trusted domains, such as microsoft.com and skype.com.
How the Subdomain Takeover Works
In both situations, the subdomain takeovers appear to be a result of someone simply registering a domain on a third-party hosting service after it had been abandoned by the companies. In many of the examples the subdomains were hosted on Microsoft Azure but could also live on other third party hosting servers like WordPress, Amazon Web Services, Github, Heroku, and others.
The corporate domains (e.g. example.microsoft.com) pointed to the third-party hosting services (e.g. subdomain.azure.com or subdomain.wordpress.com). If the domain of the third-party hosting service was no longer used, anybody could register it, and the corporate domain would still be pointing to it.
The third-party actor would then control a subdomain with a URL of a major corporate entity.