240+ top Microsoft Azure-hosted subdomains hacked to spread malware

 hackread.com  07/08/2020 22:40:43 

UNESCO, Red Cross, Siemens, Xerox, and 3M, etc. are also in the list of compromised subdomains.

Cybercriminals have hijacked more than 240 websites, which belong to some of the most prominent organizations and brands worldwide, primarily to redirect users to download unexpected content such as malware, malicious Chrome extensions, online gambling, and adult content.

The reason these websites were hijacked so easily was the way Microsoft Azure cloud was hosting them.

Some hijacked websites are household names including Warner Bros., UNESCO, Toshiba, XEROX, Getty Images, Red Cross, Volvo, Honeywell, Hawaiian Airlines, Clear Channel, Siemens, Autodesk, Arm, 3M, the NHS, and Total, etc. (Full list is available at the end of this article).

See: SMS & personal data of millions of Americans hosted on Microsoft Azure leaked

The hijacked domain names were reported by Zach Edwards, who notified Microsoft and the affected companies/organizations about the issue in June. Edwards, the co-founder of analytics firm Victory Medium, initially informed university and government organizations and then the rest of the companies.

According to Edwards, most of the subdomains were taken over by a single group, which he believes is active for five years. As per his analysis, this group has the support of an international criminal gang, and the group is much sophisticated than expected.

“It’s clearly automated: they have hit tons of organizations, and uploaded tons of malware. I’ve warned a bunch of organizations that their biggest fear should be this legacy group partnering with some other group that is more destructive,” Edwards told The Register.

Furthermore, Edwards assessed that the hackers try to hide their presence after hijacking a subdomain, for which they make the root URL to show a “coming soon” or the 404 error message. Around 20% of the subdomains he reported were shut down.

240 top Microsoft Azure-hosted subdomains hacked to spread malware

Screenshot from one of the hacked domains showing “Kommt bald” meaning “coming soon” message in the German language (Image: Zach Edwards (Twitter)

However, the bigger problem is that the website’s DNS entries are hijacked mainly because of how Azure cloud was hosting them. It has been a common issue with websites hosted by Azure Cloud.

NEW: Epic Games ignored an epic subdomain takeover on their authentication domain by a criminal credit card skimming / user phishing group "PickaFlick" that has been operating for ~19 years – then Epic issued a $1 million bounty via a Tweet… =@>https://t.co/whyfwQjfsn pic.twitter.com/cJIzg0e2QS

— (55 5% 55!5455/5!50 (@thezedwards) May 20, 2020

List of compromised domain shared by Edwards are as follow:

Hackread.com advises readers not to visit these domains as they have the potential to infect your device with malware.

360stage.stahls.com
analytics.glamst.com
b2btdc.pandora.net
beta-invited.slh.com
ccc.blockshipping.io
champions-d-content.generalmills.com
chat.celcom.com.my
cine.naturgy.es
cloudpilotsg.cloudatlasinc.com
costwell.chevron.com
demo.booktrack.com
drweb.commscope.com
elevate17.bittitan.com
eperfectlaunchdev.optum.com
farmtoschoolmap.georgiaorganics.org
findyourstyle.fisherpaykel.com
game.autoshow.ca
gifts-uat.unrefugees.org.au
greathallcontacts.flydenver.com
hippotalk.total.com
devagileblog.acuitybrandslighting.net
devoddsapi.wallstreetenglish.com
dvsm-uat.gsk.com
es-stgics-avm.jll.com
returns.americas.pandora.net
www.iknow.dr.cch.com.au
m.macaronigrill.com
map.carlgross.com
mobile-beacons.clearchannel.co.uk
mobile.hullcitytigers.com
mobile.stratasys.com
old.deleteagency.com
oneanalytics.capita-one.co.uk
partners.honeygroup.co.uk
pay.willassociates.co.uk
peerwatch.complianceweek.com
portfolio.theglobalfund.org
ppkpi.cbre.com
prdmarep.udtrucks.com
prod.vallen.ca
production.go-dove.com
pwcs-grants.pwcs.edu
recommendations.govx.com
secure.openenergymarket.com
sfgateway-prod-east-api.carmax.com
sportsfirstaid.redcross.org.uk
sso-api-poc.mybswhealth.com
stage.cleanwithkeystone.com
staging.auth.idahopower.com
stagingcms.johnsoncontrols.com
storetool.albertsons.com
storetool2.albertsons.com
ticari.mercedes-benz.com.tr
fly-tracking.volvo.com
wiki.gibson.com
wine.mydexrewards.com
wisent.mitt.ru
wisent.mosbuild.com
www.app.ahvoila.com
www.sensformer.cloud.siemens.com
xlcatlin.leopard-np.swissre.com
trace.accenthealth.com
linode.hki.org
advanced.core.freeflow.xerox.com
nucleus.robomateplus.com
quantumleap.pason.com
un1cdp01.uno.adt.bms.com
booking.ramadadowntowndubai.com
login.ec.co
b2b.absoluteboardco.com
pfp-int.az-bots-gre-projets.viseo.com
dashboard.adsninja.com
scm.ordermanagement-test.maersk.com
maps.foundationcenter.org
www.thevillagesatpinevalley.com
itpolicies.ycp.edu
www.summary.batransfer.com
chat.fnv.nl
dev-cd-infocenter.ryder.com
myob-multi-dc-sit-singapo-cfs-v1.myob.com
www.loveisajourney.proflowers.com
www.satisfaction.darty.com
internationalservicesstage.rrd.com
detectionapp.3m.com
pspapimgmt-test.premera.com
b2bapi-service-acc.snelstart.nl
aem.herbalife.com
v2.basic.net
usersapipre.vertele.eldiario.es
onespie.spie.de
applications.wirralccg.nhs.uk
beta.pksinvest.com
site.chopup.me
tevatogostgrw.tevapharm.com
thweb-azure.teknikhuset.se
nexarc1service.kemin.com
ohmy.disneylatino.com
sccmclouddp.providence.org
sitgbapi.globalblue.com
qcsampler.genpact.com
geaux.lsufoundation.org
apps.technologydev.ihs.com
storelocator.dtc.newbalance.com
football.swisslife.ch
inflightentertainment.sas.no
connected.virginaustralia.com
inhabit-portal.arkadium.com
beta.auic.org
iot-accelerator-dev2.ddm.iot-accelerator.ericsson.net
api.elfcosmetics.com
accessderm.aad.org
cmclouddpsgsin.autodesk.com
search.us.epg.toshiba.com
uoncmgtst.newcastle.edu.au
blog.codercamps.com
v3-dev-gpe-application.gpebcnonprod.cloud.ntrs.com
members.i.playboy.com
zew-api.travelport.com
aicpasccm.aicpa.org
smartusw-sts.gep.com
hatchery.entrepreneurial-spark.com
bmsazure.elas.uk.com
referencement.levio.ca
iq.aecom.com
a.eage.org
poc9.icertis.com
uat.ovhq.msc.com
tibco-service-dev.usga.org
icqa.skillsinsight.honeywell.com
members.ussvi.org
associate.myfortisonline.com
acdadmin-tng.aia.org
demo06.mediusflow.com
myaccount.scottish-enterprise.com
nw-b.ecolab.com
members.dotnetfoundation.org
automation.pg.com
mclambda-devtest.cpsextsandbox.mayo.edu
dev.forsyteit.com
testazure.drivetime.com
ve-service.genecards.org
ahbeardweb.microsoftcrmportals.com
wordpress-itec.azurewebsites.net
qa.api.sapaccess.warnerbros.com
stpaul.partnerinhousing.com
dashboard.boostup.com
docs.cms.orckestra.com
ecmcmg.broadinstitute.org
cms.facilitiessurvey.com
dev1.mdlive.com
aauw-ampostdoc.scholarsapply.org
tge.tradeglobal.com
mobile.apply4housing.com
my.disciplesmade.com
quote.model.healthmarkets.com
dev.connectedservices.emerson.com
connect.atslab.com
training.trin.net
stgwww.ispeedyloans.com
mossupport.mcd.com
prepd-sitecore.solr.arm.com
spaspera.cloud.jci.com
uopxcmg2.phoenix.edu
staging-consulting-covid19.euromonitor.com
mail.somersetcm.com
dev.salesforce.integration.plex.com
full-service-suite.ch
cart.perseusacademic.com
testwebservices.hawaiianairlines.com
timesheets.cfed.org
library.inthehand.com
www.rmspecialstamps.com
sessions.digitalwpc.com
staging.ecofastensolar.com
innovapulse.innovasi.com
uk.ziraat.turkline.com
rldp.redlobster.com
test-cbreitp.intrepid.cbre.com
go.daymarksi.com
test.lark-it.com
dynamicsac.perficient.com
voyager-dev.kindred.com
acsdonateadmintrain.cancer.org
prixmnbawards.musicnb.org
nlgsccmconnect1.nationallife.com
create.cakesbyron.com
www.mitanorifusa.com
dev-oms-logistics.pvh.com
sts.hgem.com
gettyclouddp1.gettyimages.com
training.iverson.com.my
secure.web.powerapps.com
cb.us.stg.cloud.im
press.desigual.com
architectuur.cibg.nl
myusa.veinteractive.com
qa.boh.com
xlcatlin.leopard-np.swissre.com
v3-qa-gpe-application.gpebcnonprod.cloud.ntrs.com
blog.washingtonstem.org
apps.invictusgames2017.com
test.scandichotels.de
sccm-dp.acuitybrands.com
fnmaxcmgdp.fanniemae.com
survive.infocomm.org
op.elfcosmetics.com
leprdsccmdistpteuwest.lincolnelectric.com
cms.answersmediainc.com
cloudsolvportal.synnex.com
uatstandby-www.cushmanwakefield.com
emergencyresponse.bristowgroup.com
thor.mdlive.com
clouddp01.lamresearch.com
autoattendantservicesqa.incontact.com
microsoft.icertis.com
devpmforecaster.cbre.com
tastings.neudesic.com
b2bws.julian-fashion.com
apimcustomapi-dev.azure.chevron.com
analytics.donorperfect.net
ecom-qa-nl.bambonature.com
s-sccmdp-cloud01.loandepot.com
tra.g4s.com
remote.packtech.dk
qaappcenterng.deloitteresources.com
apps.fullertonhealth.com
smoke1.remix3d.com
onesiteportal-stage.rrd.com
cdn02.empiretoday.com
easishare.bruker.com
football.swisslife.ch
seminario.iipe.unesco.org
cityofcalgarycmg.calgary.ca
dailysales.brownjordan.com
staging.capturetech.com
media.antenna.gr
doc.bootes.co
am.us.rothschildandco.com
candidate.responsivehr.com
lti.intelequia.com
api.longbow.bonusxp.com
tuap.teamusa.org
rss-prototype.bd.com

Did you enjoy reading this article? Do like our page onFacebookand follow us onTwitter.

« Go back