DEAD INFRASTRUCTURE HIJACKING – A COMPLETE AND PRECISELY BOUND THREAT ASSESSMENT – CYFIRMA

MITRE Techniques

• [T1596.001 ] Search Open Technical Databases: DNS/Passive DNS – Used to obtain historical DNS resolution data to determine whether a lapsed webhook pointed to a SaaS CNAME or a custom domain (‘PassiveTotal’s passive DNS capability provides the historical resolution data needed for this determination.’)
• [T1593.002 ] Search Open Websites / Domains – Employed to discover historical subdomains and certificate issuance events through CT and other public records (‘Run CT log historical discovery (%.yourdomain.com) before any DNS audit tooling.’)
• [T1583.001 ] Acquire Infrastructure: Domains – Attackers register expired or lapsed domains that live systems still reference to inherit inbound traffic (‘The attacker registers a lapsed domain that live systems still reference.’)
• [T1584.006 ] Compromise Infrastructure: Web Services – Claiming unclaimed SaaS custom domain mappings or CDN distributions to serve malicious or cloned content under trusted subdomains (‘claiming the distribution through CloudFront’s standard account creation flow allowed arbitrary content to be served under the trusted subdomain’)
• [T1608.001 ] Stage Capabilities: Upload Malware – Re-registered cloud storage buckets are populated with malicious build artifacts or updates to poison supply chains (‘the re-registered buckets received traffic… Every one of those requests could have been answered with a malicious payload.’)
• [T1195.002 ] Supply Chain Compromise: Compromise Software Supply Chain – Bucket squatting in CI/CD pipelines enables active delivery of malicious artifacts to downstream systems and customer environments (‘a reclaimed S3 bucket in a CI/CD pipeline can deliver malicious build artifacts to every downstream system consuming that pipeline’)
• [T1566.003 ] Phishing: Spear phishing via Service – Elicitation mode includes serving login clones or redirects on hijacked subdomains to harvest credentials (‘The attacker serves a redirect to a login-page clone, an authentication error that prompts credential re-entry, or a session expiry notice soliciting re-authentication.’)
• [T1539 ] Steal Web Session Cookie – Cookie scope exploitation on parent-domain scoped session cookies allows stolen session identifiers to be sent to hijacked subdomains (‘If session cookies are scoped to the parent domain (domain=.example.com) rather than (domain=docs.example.com), a hijacked subdomain under that domain may receive those cookies’)
• [T1213 ] Data from Information Repositories – Passive collection mode captures telemetry, internal event records, and configuration data sent to lapsed endpoints (‘The value lies entirely in what arrives: authentication tokens… internal event records in webhook payloads, session identifiers in routine check-in calls, and diagnostic telemetry’)
• [T1567 ] Exfiltration Over Web Service – Reclaimed endpoints serve as receivers for sensitive tokens and telemetry exfiltrated by normal application traffic (‘a reclaimed endpoint and receives organic traffic has established a persistent collection point’)
• [T1036.005 ] Masquerading: Match Legitimate Name or Location – Attackers use legitimate-looking hostnames, wildcard certificates, or vendor-owned domains to make malicious endpoints indistinguishable from legitimate services (‘Browsers and applications trusting the wildcard connect without certificate errors means the wildcard is valid for all subdomains, including the one the attacker controls.’)
• [T1505.003 ] Server Software Component: Web Shell (analogy) – Active-mode payload delivery via hijacked storage or web endpoints can function analogously to server-side implants by delivering executable artifacts or configuration changes (‘the attacker delivers malicious content to systems, fetching build artifacts, software updates, or configuration files’)