“Out of sight, out of mind” is true even in cybersecurity. Assets that are not visible to the security team are often forgotten, and this could quickly become detrimental.
In early 2024, for example, a massive ad fraud campaign dubbed “SubdoMailing” was uncovered. It involved thousands of legitimate but abandoned domains and subdomains. These web assets belonged to well-known organizations like the Better Business Bureau, CBS, eBay, Marvel, McAfee, MSN, Symantec, and VMware, and threat actors rode on the legitimacy of the forgotten assets to bypass email security filters.
People who clicked links embedded in the emails went through several redirections that translated to ad views. These views in turn generated fraudulent revenue for threat actors, but the malicious campaign did not stop there. The visitors ultimately landed on fraudulent pages that touted fake giveaways and security or affiliate scams. Around 5 million emails from this campaign reached targets per day, making the victim pool vast.
What Are Examples of Forgotten Subdomains?
You may be surprised at how easy it is for subdomains to stay under an organization’s radar. Here are some examples of situations that lead to forgotten subdomains.
Legacy Subdomains
Subdomains created for specific projects or campaigns can remain operational if they are not properly decommissioned after the activity concludes. For example, a company might create a subdomain for a marketing campaign or a product launch. Once the campaign ends or the product is discontinued, the subdomain may still remain active, even if it is no longer in use.
Test and Development Subdomains
Subdomains provide a secure and isolated environment for testing new features, applications, or security patches, as they minimize the risk of disrupting a live website. They also allow developers and testers to experiment with configurations to meet testing requirements.
As helpful as they are, these subdomains can easily get overlooked and left unmanaged, especially when they are not properly decommissioned or removed after testing.
Third-Party Service Subdomains
Third-party services, such as helpdesk platforms and payment gateways, often require the configuration of subdomains to enable custom setups and integrations. Here too, the subdomains may remain active even after the services are no longer used.
Inherited Subdomains
During mergers and acquisitions (M&As) and other organizational restructuring processes, web assets like subdomains can be inadvertently overlooked or mismanaged, notably when there’s a lack of clear communication and coordination between different teams.
Beyond Subdomains: Other Assets Can Be Forgotten, Too
Subdomains are not the only assets organizations can unintentionally abandon. Unused cloud accounts, such as storage buckets, that are no longer needed may remain running. An example would be a cloud storage service the development team set up for testing purposes but have since forgotten.
Virtual machines (VMs) that are no longer actively used may continue to have access to sensitive data or code, such as those temporarily set up to handle increased website traffic during the holiday season.
Another type of asset that is often overlooked is the Secure Sockets Layer (SSL) certificate. Website owners may forget to renew an SSL certificate before its expiration date, potentially leading to website downtime and exposing the site to vulnerabilities.
In addition, inactive email accounts can become security risks since they may still receive messages containing sensitive information. The risk becomes even greater if those email accounts are old. Cybercriminals have been seen targeting email accounts that are more than 10 years old, especially those with weak passwords.
Why Should You Be Concerned about Forgotten Assets?
We’ve made it clear that forgotten assets can expose organizations to risks. But what, exactly, are these risks?
Operational Disruption and Reputational Damage
Forgotten assets often lack up-to-date security measures, making them easy targets for cyber attacks.
Threat actors can also often use forgotten assets as a starting point to move laterally within a target network and go after more critical assets or systems. A security breach involving a forgotten asset can disrupt business operations and severely damage an organization’s reputation.
Delayed Incident Detection
When you don’t have visibility over forgotten assets, detecting their vulnerabilities or any incident they’re involved in becomes much more difficult. In the SubdoMailing campaign discussed earlier, security researchers noted that the fraud campaign has been active since 2022. With millions of malicious emails sent to users daily for years, the damage caused could be unquantifiable.
Any delay in detection and response can potentially mean greater damage, including more personal repercussions for CISOs worried about losing their job if a massive data breach involving a forgotten asset occurs. This fear may not be unfounded since each forgotten asset can serve as a potential attack entry point, contributing to attack surface expansion.
Regulatory Noncompliance
Regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) impose strict data protection measures. If the forgotten assets contain critical data, any compromise may result in breaches that can trigger hefty fines and legal repercussions.
In addition, forgotten assets may mean the organization is not compliant with the U.S. Securities and Exchange Commission (SEC) new rules on cybersecurity risk management, strategy, governance, and incident disclosure for public companies, which requires them to map asset-to-asset dependencies.
Increased Operational Costs
In addition to security implications, forgotten assets can lead to unnecessary operational costs. For instance, unused storage buckets may continue to incur cloud storage fees or maintenance expenses that are automatically charged to an organization’s bank account.
What You Can Do
Comprehensive attack surface discovery and management leveraging advanced methods can significantly minimize the risk of forgetting assets. This strategy involves the following crucial processes:
- Continuous asset inventory to identify and catalog all assets, including those that are no longer used and may have been under the radar for a long time
- Accurate vulnerability detection, which immediately brings the assets’ security issues to the surface
- Efficient security patch management to keep all assets updated with the latest patches
- Strong access controls to ensure that all assets have complex passwords and multifactor authentication (MFA) enabled
Implementing these security measures can significantly counter the attack surface expansion caused by forgotten assets.
Serious about detecting forgotten assets? Learn how Attaxion’s advanced asset discovery methods can help. Schedule a customized demo now.