Domain takeover on docs.fluidattacks.com leading to external redirections

Incident Report for Fluid Attacks

Postmortem

Impact

A subdomain takeover occurred on docs.fluidattacks.com. The issue started on UTC-5 25-02-17 21:28 and was proactively discovered 13.4 hours (TTD) later by a staff member who noticed an unusual configuration of the subdomain on the Google platform and improper redirection. The problem was resolved in 2.6 hours (TTF), resulting in a total window of exposure of 16 hours (WOE) [1].

Cause

The issue was caused by S3 namesquatting, which allowed an attacker to claim control over docs.fluidattacks.com. Although the DNS record pointed to fluidattacks.com, the subdomain was configured to use an S3 bucket that did not exist. This enabled an attacker to create a bucket with the same name and take over the subdomain, leading to unintended redirections.

Solution

The DNS record for docs.fluidattacks.com was removed to prevent the attacker from maintaining control over it. A Cloudflare Worker was configured to redirect all paths from docs.fluidattacks.com to fluidattacks.com [2].

Conclusion

A system is being considered to detect orphaned subdomains, allowing the identification of DNS records pointing to nonexistent or uncontrolled services within the organization. INCOMPLETE_PERSPECTIVE < MISSING_ALERT < LACK_OF_TRACEABILITY

Posted Feb 21, 2025 - 15:47 GMT-05:00

Resolved

The incident has been resolved, and all necessary mitigations have been applied.
Posted Feb 18, 2025 - 13:32 GMT-05:00

Identified

docs.fluidattacks.com is pointing to a decommissioned external service, allowing a third party to take control and redirect traffic.
Posted Feb 18, 2025 - 11:00 GMT-05:00
This incident affected: Docs.