Exclusive More than 240 website subdomains belonging to organizations large and small, including household names, were hijacked to redirect netizens to malware, X-rated material, online gambling, and other unexpected content.
These big names are said to include Chevron, the Red Cross, UNESCO, 3M, Getty Images, Hawaiian Airlines, Arm, Warner Brothers, Honeywell, Autodesk, Toshiba, Xerox, the NHS, Siemens, Volvo, Clear Channel, Total, and more.
And it's all due to the way they were hosted in Microsoft's Azure cloud.
Take Xerox for example. One of its subdomains, advanced.core.freeflow.xerox.com, was commandeered to host pages linking to websites advertising escorts, kitchenware, oil paintings, and more, in the hope that the reputation of xerox.com would boost the linked-to sites in web search engine rankings.
At one point advanced.core.freeflow.xerox.com was hosted in the Microsoft cloud on a server named something along the lines of webserver9000.azurewebsites.net, chosen by Xerox's IT admins. When whatever was living at advanced.core.freeflow.xerox.com was no longer needed, Xerox would have spun down webserver9000.azurewebsites.net, releasing it for others to use. Crucially, advanced.core.freeflow.xerox.com still pointed to webserver9000.azurewebsites.net, so when someone else came along and spun up a virtual server using that hostname, they could control the content of advanced.core.freeflow.xerox.com.
It's not quite true to say these organizations have been hacked; it's more like they rented a corner of the internet, stuck their logo and name on it, and then when they no longer needed that space, they emptied it out but left the door unlocked for others to sneak in and run a casino or a porno store at the same address under the same brand.
Download this update from mybrowser. microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. OopsREAD MORE
It's an oversight that has plagued Azure-hosted sites for as long as we can remember, and we've written about it previously. Even Microsoft accidentally allowed some of its own long-forgotten subdomains to slip into the hands of spammers. This latest subdomain joyride spree is doubly embarrassing for Xerox, we note, because the Maze ransomware crew also claims to have infiltrated the tech giant's network and exfiltrated gigabytes of internal data, which, we're told, will be leaked unless the extortionists are paid off.
The latest list of hijacked subdomains was drawn up by Zach Edwards, who reported the URLs at the end of June to Microsoft as well as the affected organizations, and shared a copy with The Register to verify. He said he earlier reported two to three dozen commandeered government and university subdomains as a priority. In May, Edwards, who cofounded analytics biz Victory Medium, also spotted malware being served from forgotten Epic Games subdomains.
Edwards told us last night a large chunk of these latest subdomains appear to have been taken over by a single group that has been active for years. "They are used by an international criminal group who does lots of things with them," he explained. "Some pages redirect to malware, some redirect to porn or casinos or other potential clients that pay them for inbound links, some direct to malicious chrome extensions, or cracked software.
"It's clearly automated: they have hit tons of organizations, and uploaded tons of malware. I've warned a bunch of organizations that their biggest fear should be this legacy group partnering with some other group that is more destructive. Hopefully that isn't happening at scale, but I fear the worst, and I believe this group is far more sophisticated than they are given credit for."
In many cases, Edwards said, the crooks try to hide their presence once they've hijacked a subdomain, making the root URL show a 404 or "coming soon" message. Further down the directory tree, however, are potentially thousands of files containing everything from malicious redirects through affiliate links to pages designed to trick people into installing malware to links to blogs and seedy sites to boost their rankings.
20 freaking per cent?
Edwards told us roughly 20 per cent of the subdomains he reported have been shut down. The Register is in the process of contacting the organizations that have had their subdomains hijacked for comment. "We were made aware of the situation on June 30th and it has been resolved," Autodesk told us last night.
At the end of last month, Microsoft published a support article explaining to customers how to avoid losing control of their subdomain content to miscreants. The Windows titan would not confirm or deny the dangling DNS advisory was issued after learning so many of its cloud clients had been caught out by spammers. ®