Underminr domain-fronting attack hijacks brand reputations via CDN trust - 42% of websites globally, 51% in US, vulnerable
ADAMnetworks researchers have disclosed Underminr, a domain-fronting attack that abuses how major content delivery networks resolve HTTP requests, letting an attacker route malicious traffic so it appears to come from trusted brand domains. Protective DNS filters see the DNS lookup for the legitimate site and wave it through. ADAMnetworks estimates 42% of websites globally are vulnerable, 51% in the US, around one-third in Eastern Europe, and under 9% in China's heavily-regulated internet. The researchers say attackers are already using the technique. Boutique security-focused CDNs that perform domain verification are not vulnerable; the larger general-purpose providers carry most of the exposure.
- Check
- Inventory CDN providers and check whether each performs domain verification (validates Host header at edge). Search egress logs for traffic resolving a trusted domain but landing on attacker infrastructure.
- Affected
- Roughly 42% of websites worldwide, 51% in the US, hosted on CDNs that do not perform strict Host-header verification. Boutique CDNs that verify ownership are not vulnerable.
- Fix
- Move sensitive properties to CDNs that perform strict domain verification. Audit Protective DNS allowlists and pair them with TLS SNI or HTTP-Host inspection downstream. Treat domain-only allowlists as weak.