Bill Demirkapi posted a really interested article about how to abuse dangling cloud resources IE resources deallocated from your environment while still referenced by a DNS record. His research shows how to scan for these resources and discover every interesting data points about targets. The full post can be found HERE.
You may be asking why would you care about this? Here are his thoughts …
Why should you care about dangling DNS records? Unfortunately, if an attacker can control a trusted subdomain, there is a substantial risk of abuse:
- Enables phishing, scams, and malware distribution.
- Session Hijacking via Cross-Site Scripting (XSS)
- If
example.comdoes not restrict access to session cookies from subdomains, an attacker may be able to execute malicious JavaScript to impersonate a logged in user. - Context-specific impact, like…
- Bypass trusted hostname checks in software (e.g., when downloading updates).
- Abuse brand trust & reputation for misinformation.
Dangling DNS records are most commonly exploited en masse, but targeted attacks still exist. Fortunately, to achieve a high impact beyond trivial search engine optimization, an attacker would need to investigate your organization’s relationship with the domain they’ve compromised. Unfortunately, while trivial abuse like search engine optimization matters less in isolated incidents, it becomes a major problem when scaled.