An oversight has long plagued Azure-hosted sites. It was recently reported that 240 website subdomains belonging to organizations large and small, were hijacked to redirect netizens to malware, X-rated material, online gambling, and other unexpected content. All due to the way they were hosted in Microsoft’s Azure cloud. Those organisations include: Chevron, the Red Cross, UNESCO, 3M, Getty Images, Hawaiian Airlines, Arm, Warner Brothers, Honeywell, Autodesk, Toshiba, Xerox, the NHS, Siemens, Volvo, Clear Channel, Total, and more. Microsoft itself accidentally allowed some of its own long-forgotten subdomains to slip into the hands of spammers. It’s not that these organizations were hacked; they rented a corner of the internet, added their logo and name, and when they no longer needed that space, they emptied it but left the door open for others to enter and run a casino or a porno store at the same address under the same brand.
Xerox found that one of its subdomains, advanced.core.freeflow.xerox.com, was commandeered to host pages linking to websites advertising escorts, kitchenware, oil paintings, and more, in the hope that the reputation of xerox.com would boost the linked-to sites in web search engine rankings. At one point advanced.core.freeflow.xerox.com was hosted in the Microsoft cloud on a server named something along the lines of webserver9000.azurewebsites.net, chosen by Xerox’s IT admins. When whatever was living at advanced.core.freeflow.xerox.com was no longer needed, Xerox would have spun down webserver9000.azurewebsites.net, releasing it for others to use. The point is that advanced.core.freeflow.xerox.com still pointed to webserver9000.azurewebsites.net, so when someone else came along and spun up a virtual server using that hostname, they could control the content of advanced.core.freeflow.xerox.com.
This is doubly embarrassing for Xerox, because the Maze ransomware team also claims to have infiltrated the tech giant’s network and exfiltrated gigabytes of internal data, which will be leaked unless the extortionists are paid off.
The latest list of hijacked subdomains was drawn up by Zach Edwards, who reported the URLs at the end of June to Microsoft as well as the affected organizations,. He said he earlier reported two to three dozen commandeered government and university subdomains as a priority.
Many of these subdomain takeovers appear to be by a single group that has been active for years. Some pages redirect to malware, some redirect to porn or casinos or other potential clients that pay them for inbound links, some direct to malicious chrome extensions, or cracked software.
Crooks try to hide their presence once they’ve hijacked a subdomain, by making the root URL show a 404 or “coming soon” message. Further down the directory tree, however, are potentially thousands of files containing everything from malicious redirects through affiliate links to pages designed to trick people into installing malware to links to blogs and seedy sites to boost their rankings.
At the end of last month, Microsoft published a support article explaining to customers how to avoid losing control of their subdomain content.
