'Underminr' Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains

'Underminr' Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains

Briefly

"Underminr presents the SNI and HTTP Host of a domain while forcing a request to the IP address of another tenant on the same shared edge. The mismatch, ADAMnetworks reports, has been exploited in attacks targeting large-scale hosting providers, including those that have implemented mitigations against domain fronting. "This abuse permits connections that appear to go to a trusted domain to actually connect to another domain that could be used for malicious intent," the web security firm explains."

"Because CDNs routed requests internally based on the host headers, the request reached the hidden destination, while traffic would appear to be going to a reputable front domain. Instead of using a front domain, Underminr presents the SNI and HTTP Host of a domain while forcing a request to the IP address of another tenant on the same shared edge. The mismatch has been exploited in attacks targeting large-scale hosting providers, including those that have implemented mitigations against domain fronting."

"Threat actors can abuse Underminr to hide connections to command-and-control (C&C) servers, as well as VPN and proxy connections, and to circumvent network egress policies. "In the simple form, the detection gap appears when DNS decisions, edge IPs, SNI, Host headers, and CDN tenant routing are not correlated. The endpoint sees an allowed DNS lookup while the connection can complete against a different hosted name," ADAMnetworks says."

"According to the company, the attack technique has been abused in attacks to connect to domains hosted on CDN infrastructure shared with allowed domains, mostly via TCP connections on port 443, in which SNI exposes the intended TLS hostname. The Underminr vulnerability can be exploited using four different strategies to circumve"