Impact
A subdomain takeover occurred on docs.fluidattacks.com. The issue started on UTC-5 25-02-17 21:28 and was proactively discovered 13.4 hours (TTD) later by a staff member who noticed an unusual configuration of the subdomain on the Google platform and improper redirection. The problem was resolved in 2.6 hours (TTF), resulting in a total window of exposure of 16 hours (WOE) [1].
Cause
The issue was caused by S3 namesquatting, which allowed an attacker to claim control over docs.fluidattacks.com. Although the DNS record pointed to fluidattacks.com, the subdomain was configured to use an S3 bucket that did not exist. This enabled an attacker to create a bucket with the same name and take over the subdomain, leading to unintended redirections.
Solution
The DNS record for docs.fluidattacks.com was removed to prevent the attacker from maintaining control over it. A Cloudflare Worker was configured to redirect all paths from docs.fluidattacks.com to fluidattacks.com [2].
Conclusion
A system is being considered to detect orphaned subdomains, allowing the identification of DNS records pointing to nonexistent or uncontrolled services within the organization. INCOMPLETE_PERSPECTIVE < MISSING_ALERT < LACK_OF_TRACEABILITY