Go back to All Blog posts

Asset hijacking: the digital supply chain threat hiding in plain sight

Nethanel Gelernter
May 7th, 2024

What is the digital supply chain, and why is it risky?

The digital supply chain refers to the chain of third-party digital tools, services and infrastructure that is depended on for a particular first-party service (such as your website or SaaS platform). In an ever-changing digital landscape, supply chains can be brittle with many unseen risks.

The nature of supply chain risk is transitive; any part of the often long and complicated digital supply chain can be compromised, causing all components downstream of it to also be compromised. This means the whole system is only as secure as its weakest link.

Some examples of significant digital supply risks are web skimming, asset hijacking, mail hijacking and nameserver hijacking. In this article we will go into the details of asset hijacking and how old and forgotten assets can be abused to help criminals distribute nefarious content.

What is asset hijacking?

Asset hijacking is a type of attack that takes over existing infrastructure (such as websites or storage buckets that host content) by exploiting vulnerabilities or misconfigurations, then using the hijacked asset to host malicious or illegal content such as phishing pages, malware, gambling scams, pornography and even CSAM (Child Sexual Abuse Material).

The hijacked asset in question is often unused, old and forgotten, therefore no longer maintained by its owners. This often leaves the asset unpatched and vulnerable to exploitation, and undetected for long periods post-exploitation.

The practice of asset hijacking benefits criminals since they no longer have to spin up new infrastructure (which could be detected or blocked quickly), instead they can use existing, trusted domains and servers to host content which is both economical and more trusted.

Examples of asset hijacking

Intrusion vector: 3rd and 4th party compromise

The intrusion vectors of asset hijacking is usually easy to exploit vulnerabilities or misconfigurations, such as an unpatched CMS (Content Management System) like WordPress. In many cases, web hosting providers (3rd parties) could reuse the same multi-tenant WordPress instance for multiple customers (4th parties), and when the hosting server is compromised that leads to the takeover of potentially hundreds and thousands of websites all at once, since all those domains could be pointing to the same compromised server. In one instance, a traffic direction system (TDS) compromised and abused servers that host 16,500 websites of universities, local governments, adult content platforms, and personal blogs.

The taken over sites usually do not show any sign of compromise at the home page. If there was no content there to begin with, innocent looking 404 pages might be uploaded to throw off detection. The actual malicious pages hide in subdirectories that are often hard to guess, and thousands of them could be hosted on one site.

Phishing

One of the most common use cases of asset hijacking is for distributing phishing pages. Since the domain reputation of existing sites are much higher than newly registered domains, they tend to slip past spam filters and security scanning solutions better.

Phishing pages most commonly impersonate popular providers (such as Microsoft 365) to steal credentials. More sophisticated attacks even impersonate brands by hijacking a subdomain belonging to the actual company. In one case, a Ferrari subdomain was taken over to distribute a crypto scam with Ferrari NFTs to steal Ethereum, shortly after the brand announced actual plans for NFT minting.

Black SEO and malicious content

Search Engine Optimization (SEO) is often used by attackers to float their malicious sites up to the top of the search results. By embedding links to hidden pages elsewhere, they get picked up by search engines and clicked on by the untrained eye.

Because the hijacked asset itself was legitimate initially, they will often have valid SSL certificates, which adds to the illusion of security and legitimacy. 

A fake Chrome download page distributing malware, with a valid SSL certificate.

Compromised assets usually are part of a bigger network called a TDS (Traffic Direction System), along with other compromised sites in the same network. The TDS comes its own “smart bag of tricks” that redirects the visitor to various malicious sites depending on geolocation, referrer headers, user agent and language (so that the target site matches the visitor’s language, operating system and interest). For example, serving a malicious EXE file to an iPhone would be useless, so the TDS would instead redirect to a page with Apple themed warnings and malicious profiles.

Mitigation: attack surface management

The best way to prevent the compromise and abuse of forgotten assets is to not forget about them. Organizations tend to generate a lot of technical debt over time, along with shadow IT assets, so it’s important to keep track of them by maintaining an up-to-date asset inventory. Attack Surface Management software helps automate discovery and inventory of assets – even assets managed by third parties. 

IONIX Attack Surface Management

IONIX specializes in helping customers monitor and protect their complex digital supply chain through its EASM (External Attack Surface Management) platform. IONIX takes a proactive approach to identifying and mitigating risks posed by misconfigured or vulnerable digital supply chain assets. To lower the risk, it’s crucial to gain full visibility into your complete external attack surface. IONIX is the only ASM platform that can thoroughly inventory your own environments, both on-prem and cloud, including visibility into your 3rd, 4th and Nth degree suppliers. IONIX EASM uses patented ‘Connective Intelligence’ to go beyond asset visibility and provide asset importance, connectivity and exploit validation, so you not only know what you have, but what’s urgent and important to fix.

Conclusion

Asset hijacking is a very common threat because attackers have created a big business out of exploiting these homogeneously vulnerable assets that were forgotten over time. To make sure one of your assets isn’t in the “low hanging fruit” basket, you can leverage attack surface management platforms like IONIX, which takes a proactive approach to identifying and mitigating risks posed by assets vulnerable to hijacking – even shadow IT and digital supply chain assets. To see IONIX in action, request a scan today.

REQUEST A THREAT EXPOSURE REPORT TODAY

Discover the full extent of your online exposure so you can protect it.