Hackers Exploit Shared CDNs Using New Technique "Underminr"
Hackers are increasingly taking advantage of shared Content Delivery Network (CDN) infrastructure to circumvent security measures that depend on domain reputation. This trend has given rise to a newly identified technique known as "Underminr." While not a typical software vulnerability, Underminr exposes a fundamental flaw in the way modern CDNs manage multi-tenant traffic.
Prominent CDN providers such as Cloudflare, Akamai, AWS CloudFront, and Fastly are responsible for routing traffic from millions of domains through their shared edge infrastructure. However, this design creates an opportunity for malicious actors. By registering their own domains on the same CDN platforms utilized by well-regarded services, attackers can manipulate the system to achieve their nefarious objectives.
Understanding the Exploit
The exploitation of Underminr involves a sophisticated manipulation of HTTP Host headers and Server Name Indication (SNI) during TLS handshakes. This allows attackers to craft requests that appear to target legitimate, trusted domains while actually directing traffic to backend systems controlled by the attackers. Many security tools rely on domain reputation or SNI inspection, resulting in these connections being erroneously classified as secure.
In a typical attack scenario, a threat actor registers a domain through a CDN provider. They generate traffic that uses the SNI of a trusted domain, such as a Software as a Service (SaaS) provider, all while embedding a malicious payload in their requests. The CDN processes these requests based on its internal logic, permitting the attacker’s backend to handle the incoming traffic without raising alarms.
The Security Implications
Security researchers at Rescana have issued warnings regarding the architectural frailty that Underminr exposes, suggesting that this vulnerability allows attackers to obscure malicious traffic behind established domains, complicating detection for conventional security tools. As these connections appear to target reputable domains, conventional perimeter defenses—including firewalls, secure web gateways, and intrusion detection systems—often let the traffic pass unchecked.
This situation enables attackers to deliver malware, execute phishing campaigns, and create command-and-control (C2) channels without triggering any alerts. Unlike traditional domain fronting, which relies on discrepancies between SNI and Host headers, the Underminr technique exploits the inherent behavior in CDN multiplexing. This broadens its scope, providing enhanced efficacy and scale. Reports indicate that over 88 million domains may be vulnerable to this technique.
Active Exploitation in the Wild
Active exploitation of Underminr has been confirmed by ADAMnetworks, with reports from notable cybersecurity publications like SecurityWeek and SC Magazine highlighting that threat actors have already begun leveraging this technique. These attackers blend malicious traffic with legitimate business communications, employing a range of tactics such as using trusted CDN and SaaS domains as a facade for their malicious infrastructure.
Their observed methods include:
- Delivering phishing payloads through veiled connections.
- Establishing resilient and covert command-and-control channels.
- Utilizing HTTP/2 multiplexing to interleave both malicious and benign traffic seamlessly.
For instance, attackers have been observed crafting HTTP requests that seemingly connect to well-known cloud services but actually reroute traffic to malicious endpoints. This conceals their activities, allowing them to maintain long-term persistence and stealthy data exfiltration.
While no specific Advanced Persistent Threat (APT) groups have been officially tied to the exploitation of Underminr, the techniques mirror those employed by notorious threat actors such as APT29 and APT41. Historically, these groups have also used similar methods to evade detection and facilitate secure communication channels.
Addressing the Vulnerability
With Underminr representing an architectural concern affecting shared CDN infrastructure rather than specific software vulnerabilities, any domain operating within shared CDN environments is potentially at risk. The list of affected providers includes major players like Cloudflare, Akamai, AWS CloudFront, and Fastly. As of May 2023, no Common Vulnerabilities and Exposures (CVE) identifier has been allocated for this issue.
Recommended Mitigations
To mitigate the risks associated with Underminr, organizations must progress beyond basic domain reputation filtering. Recommended actions involve:
- Implementing deep packet inspection to ensure consistency between SNI, Host headers, and expected endpoints.
- Monitoring for unusual traffic patterns that involve high-reputation domains.
- Deploying behavioral analytics that can identify anomalies in encrypted traffic.
- Reviewing CDN configurations to reduce exposure to shared tenant risks.
- Integrating threat intelligence feeds that include domains controlled by attackers as identified by cybersecurity researchers.
Organizations are also encouraged to engage collaborate with their CDN providers. Many of these providers are actively exploring architectural improvements aimed at minimizing the risk of cross-tenant abuse.
As the cybersecurity landscape evolves, the emergence of techniques like Underminr illustrates the necessity for enhanced visibility and more context-aware security measures across modern network environments. Attackers continue to exploit the trust embedded in widely utilized internet infrastructure, placing a premium on vigilance and proactive security strategies.