Image of an owl hidden in a tree, notion is very similar to a domain shadowing attack

Domain shadowing

Domain shadowing is a technique listed by MITRE ATT&CK as T1584.001 sub-technique of T1584

MITRE ATT&CK domain shadowing details
Figure 1 – Domain shadowing as documented by MITRE ATT@CK framework

This technique is not to be confused with subdomain hijacking

What is a domain shadowing attack?

Image of an owl hidden, similar notion of a domain shadowing attack

Threat actors gain control of the DNS control panel of legitimate domain names by brute force and stealthily insert subdomains pointing to the attackers’ network infrastructure.

The DNS records of the apex domain name are untouched.

Why does domain shadowing attack occur?

Our hypothesis for the most likely scenario is that the attackers use brute force on the registrants’ domain name control panel. Once successful, stealthy create subdomains under legitimate domain names, which point to the attackers’ infrastructure.

Representation of domain shadowing attack
Figure 2 – Representation of domain shadowing attack using example.com domain name

Here are the reasons why this attack is possible,

  • Weak passwords
  • 2FA is either not available or not enabled
  • Registrars provide no monitoring/alerting system to notify when a modification is made to the DNS zone of the domain name.

Threat actors perspective

Creating and using subdomains under legitimate domain names for malicious purposes, such as phishing, malware, etc, has many benefits from the threat actors’ perspective.

  • Leveraging domain name reputation – By using the reputation of the legitimate domain name, threat actors can evade detection
  • Minimize efforts and time – Eliminate efforts into buying a domain name(with stolen funds ofcourse!)

Shreshta threat intelligence team has been monitoring domain names under gTLDs and ccTLDs using our passive DNS product DNS Watchtower. In the past, we have also documented these attacks targeting domain names under .LK

Recommendations

As a domain name registrant, here are a few things that you can do to stop a domain shadowing attack,

  • Enable 2-factor authentication(2FA) – If available, enable 2FA in the domain name control panel, which the registrar provides
  • Password hygiene – Set a strong and unique password to the domain name control panel
  • Monitor the DNS records – Periodically monitor the DNS zone 

Monitoring the DNS records is not feasible for registrants since the registrars provide no alerting/monitoring feature. Our team has been working in this space. Stay tuned!

Update – March 13th 2024 – We’ve published a blog post with the details of ShadowFindr, a web tool we released last month.

Website | + posts