Multiple information security training firms, researchers and instructors recently reported the finding of a serious vulnerability in more than 600 subdomains belonging to Microsoft; the successful exploitation of this flaw would allow the hijacking of these sites for malicious purposes. Despite constant reports, the tech giant showed no interest in repairing this flaw.
Microsoft’s lack of interest in this issue, and
the potential intervention of threat actor groups, led security firm Vulnerability
researchers to hijack some of the compromised domains, holding Microsoft
accountable for bad DNS practices.
In total, the researchers managed to take
control of ten subdomains, including addresses such as:
- identityhelp.microsoft.com, among others
In addition, participants from the information
security training mention that the total number of domains exposed has
increased to 670.
In their report, experts mention that it was
really easy to detect where subdomains were supposed to redirect, as Microsoft
hosts them on Azure; for example, mybrowser.microsoft.com
is linked to browserver.azurewebsites.net.
Researchers focused on subdomains that are not linked to some website.
When Microsoft stops using a particular
subdomain, DNS registration was left as is, so all threat actors require is to
create an Azure account and request browserver.azurewebsites.net, allowing them
to host any kind of content on the subdomain, such as websites infested with
invasive or malicious advertising or Microsoft phishing
pages to extract usernames and passwords from employees and customers of the
Information security training instructors
ensured that this is a really simple procedure and requires minimal technical
knowledge (in addition, completing the hijacking takes less than an hour), so
the possible malicious use of these subdomains is a real threat.
As already mentioned, the company does not seem
to be interested in correcting this cybersecurity threat, even though
researchers claim that this would be a very simple process for Microsoft.
According to the International Institute of Cyber Security (IICS), this remains
a good time to secure exposed subdomains, although entry-to-scene for
cybercriminals may be a matter of time.