An Azure subdomain takeover incident
A security incident was flagged his week. As it turned out, nothing was compromised, but it served as a valuable warning of how vulnerable an organisation using Microsoft Azure (or perhaps AWS) could be to a domain takeover that could be used in a more sophisticated attack.
The incident had something to do with a subdomain that was initially mapped to a staging Web site hosted on Azure.
The Web site was removed some time ago, but the mapping between the subdomain and the site's public 'azurewebsites.net' address wasn't. This allowed a third-party to create their own Azure resource with the same public address, thereby using the URL that was mapped. Thankfully, in this case, the third-party resource merely hosted one of those crappy gambling sites, and, surprisingly, without any references in the source to exploits or malware droppers. I can’t begin to guess why person behind it wanted to use our rather obscure subdomain (of the type normally associated with malware servers) instead of a better-looking URL assigned by Azure.
The issue could have been more serious, though, because this kind of domain takeover would have been perfect for a 'spear phishing' attempt on employees who aren’t familiar with our infrastructure. From the users' perspective, nothing would appear suspicious if the site was crafted well enough. The URL would have been authoritive, and, given the site would be hosted on Azure, I'd imagine the browser wouldn't have flagged the TLS certificate.
Someone must have been scanning for non-routing domains. How many people out there are actively doing that? Are they manually going through a list of high-profile domains, or is there some automated scanner I'm unaware of?