How the Attack Works
Cybercriminals are actively exploiting a design weakness in shared Content Delivery Network infrastructure to disguise malicious traffic as legitimate connections to trusted websites. Dubbed Underminr by researchers, the technique leverages the fact that CDN providers serve thousands of customers through the same edge nodes. Attackers register their own domains with a CDN that also hosts reputable sites, then craft requests that appear to be heading to a trusted destination while secretly routing data to attacker controlled servers.
Security tools that inspect domain names or TLS handshake indicators see nothing suspicious and allow the traffic to pass. This goes beyond traditional domain fronting because it exploits the fundamental architecture of shared CDN infrastructure rather than relying on misconfigurations.
Impact and Scope
Research from ADAMnetworks cited in a Rescana report indicates that over 88 million domains are potentially affected, including those hosted by major CDN providers such as Cloudflare, Akamai, AWS CloudFront, and Fastly. The Rescana report warns that this technique is actively being exploited in the wild and poses a significant threat because no CVE has been assigned since the issue is architectural rather than a software bug. There is no simple patch available, and the problem is expected to persist indefinitely.
Organizations are advised to strengthen network monitoring for anomalous traffic patterns and implement additional verification layers that do not rely solely on domain reputation or TLS indicators.
Source: Cyber Security News
