Researchers are sounding the alarm on a class of exploit inherent in Internet infrastructure itself for which there is no simple fix and nearly half of all websites globally are at risk.

Conceptually, the issue is a successor to “domain fronting,” a trivial Internet routing sleight of hand popular in the mid-2010s. Domain fronting allowed Web surfers to announce to domain name system (DNS) and content delivery network (CDN) providers that they were visiting one website, while in fact being directed to another, simply by switching one field — the HTTP Host header — in their Web requests. It caught enough attention back in 2018 that CDNs have largely mitigated it.

The new issue, deemed “Underminr,” works around those mitigations and has the very same effect. Although domain fronting is often associated with censorship bypass, the analysts at ADAMnetworks point out its more nefarious use: allowing attackers to conceal their malicious activity online by hijacking the brand reputations of legitimate websites.

Related:How CISOs Should Prep for Agentic-Ready AI BOMs

Hackers are already exploiting Underminr, they report, and your website is very likely available for their pleasure. ADAMnetworks found that 42% of websites are vulnerable, and in the US, that number climbs to 51%.

Understanding Underminr

Think back to school, YouTube explainers, or wherever you first learned about how the Internet works. Back then, you learned that when you request to visit a specific website — say, darkreading.com — that request travels to a Domain Name System (DNS) server, which resolves that human-readable domain to an IP address, like 104.16.224.171, associated with the website’s server.

Today, the picture is a degree more complicated. Like many websites today, darkreading.com sits behind a massive content delivery network (CDN) — in its case, Cloudflare. Cloudflare groups lots of domains behind the edge IP address 104.16.224.171. If you attempt to visit darkreading.com, it hits 104.16.224.171, then Cloudflare determines which site you intended to visit using two other fields contained in your request: the Server Name Identification (SNI) that belongs to the Transport Layer Security (TLS) handshake process, and the HTTP Host header inside of the encrypted part of the request that follows.

The problem that ADAMnetworks identified rests on two weaknesses in this picture. First, DNS and CDN systems operate in relative silos: the former does its job, then passes the buck to the latter, and they don’t cross-reference. Second, CDNs often group relatively established and trusted domains with relatively new and untrusted ones, all behind the same edge IPs.

Related:What It’ll Take to Make AI BOMs Usable in a Modern Security Program

That allows an attacker to perform a DNS lookup for a perfectly trusted domain, like darkreading.com, at 104.16.224.171. Any Protective DNS filter will see the request as perfectly legitimate, and wave it on through. Next up, in the fields read by the CDN, the attacker can indicate that they wish to visit an entirely different website hosted at that same edge IP address. Neither the DNS or CDN providers will see that the other interpreted the same request differently. And even if the swapped website is malicious, large CDNs can’t often suss that out, avoiding any red flag or alert.

In the end, the attacker can filter traffic to a malicious site through a trusted one, like a shield. From there they can do anything — run scams, perform malicious command-and-control (C2) operations, exfiltrate data from victims — while leveraging the trusted domain to evade DNS-, signature-, and behavior-based detection. On the flip side, by being associated with malicious cyber activity, the trusted site faces loss of brand reputation, and any number of other business, legal, and logistical headaches therein.

CDN Architecture Determines Underminr Risk

To gauge Underminr’s blast radius, ADAMnetworks scanned the top five million domains on the Web. The result: nearly half of all websites are exposed.

Related:Is 2026 the Year AI Bills of Materials Get Real?

Those websites aren’t evenly distributed, though. In the US, around half of all sites are at risk. In Eastern Europe, one-third. In China’s ultra-regulated Internet, less than 9%. That disparity betrays that Underminr is not an inescapable reality of the Internet; it’s a design flaw.

One need not dig all the way to China for a CDN that protects the integrity of one’s website, though. Boutique, security-focused providers that don’t serve armies of anonymous clientele eliminate the risk. And for a model of what larger providers can do to protect their customers, one might look to Fastly. “They were late to the game of fixing the domain fronting problem that existed 10 years ago,” recalls ADAMnetworks CEO David Redekop. Though slow out of the blocks, he says, “they fixed it the best by creating grades of customers, or what I like to call ‘bucketizing.'”

Bucketizing — Redekop’s own term for a phenomenon without an official name — is a practice where a CDN like Fastly intentionally groups domains together according to their reputations. “Fastly said: ‘You know what? The New York Times and The Guardian: let’s put them together in a bucket. But if you have some new domain name that’s buying Fastly CDN services, let’s put it together with the other new domain names,” Redekop explains.

In bucketizing domains by reputation, Fastly vastly reduced the risk that the same IP would host, say, The New York Times homepage and a malicious C2 server. That didn’t technically prevent domain fronting, but it sure sucked all the appeal out of it. And since domain fronting and Underminr are almost exactly the same issue, with one minor distinction — instead of disagreeing SNI and HTTP Host fields, the fields that disagree are SNI and DNS — it had the same effect for Underminr. Every single Fastly customer today is at risk of Underminr, but does it matter if all they can do is swap nytimes.com for theguardian.com?

Redekop emphasizes that if organizations want to protect their sites, they really only have one course of action. “If they want to do something about their own domain name,” he says, “what they could do is move it off of the content delivery network that enables the Underminr.”





Source link

#

Comments are closed