'Underminr' CDN Vulnerability Hides Malicious Traffic Behind Trusted Domains (securityweek.com) 14

Posted by EditorDavid on Sunday May 24, 2026 @03:34AM from the alternate-routing dept.

Slashdot reader wiredmikey writes: Threat actors are exploiting a vulnerability in shared content delivery network (CDN) infrastructure to hide connections to malicious domains. Researchers say the vulnerability could impact roughly 88 million domains and can bypass DNS filtering and protective DNS controls, potentially enabling stealthy command-and-control communications and other evasive attacks.
Dubbed "Underminr," the exploit "presents the SNI and HTTP Host of a domain," writes SecurityWeek, "while forcing a request to the IP address of another tenant on the same shared edge." The mismatch, ADAMnetworks reports, has been exploited in attacks targeting large-scale hosting providers, including those that have implemented mitigations against domain fronting...

Threat actors' increased reliance on AI is expected to lead to a surge in attacks. "Once Underminr becomes parametric information for AI-generated malware, we could expect to see it in every attack that needs to evade protective DNS as part of the attack chain," ADAMnetworks CEO David Redekop says.

'Underminr' CDN Vulnerability Hides Malicious Traffic Behind Trusted Domains

Post Load All Comments

Search 14 Comments Log In/Create an Account

Comments Filter:

The whole internet is full of backdoors (Score:3)

by xack ( 5304745 ) writes: on Sunday May 24, 2026 @06:11AM (#66158120)

With the proliferation of illegal proxies, vpns and scrapers you can't trust the authenticity of traffic anymor. It also means that the internet is getting "ossified" as only a small amount of trusted protocols and clients are allowed now. With malware finding even more back doors the internet basically is an untrustable medium now. Cybersecurity has become pointless because the maniac is in the mailbox.

Reply to This Share
Flag as Inappropriate
- Re: (Score:3)
  
  by ls671 ( 1122017 ) writes:
  
  the internet basically is an untrustable medium now.
  I can't recall anytime where I trusted the Internet.
- Re: (Score:2)
  
  by Kernel Kurtz ( 182424 ) writes:
  
  What were they going to be assigned to?
- Re: (Score:2)
  
  by Woeful Countenance ( 1160487 ) writes:
  
  proudly protected by CloudFlare? White supremacists are booted from CloudFlare immediately while a murder list calling for the assignation of +4500 journalists, hundreds of politicians, thousands of athletes is no problem for CloudFlare.
  Pretty sure you don't mean "assignations [merriam-webster.com]" which can be delightful.
  Do you mean this list [wikipedia.org], purportedly of "enemies of Ukraine"? If so, your "+4500" seems to be badly out of date. "On 7 May 2016, the website published the personal data of 4,508 journalists and other media members from all over the world", but Wikipedia says there were 187,000 names on the list as of 23 August 2019.
  Or did you mean this list [npr.org], supposedly a Russian list of Ukrainians to be killed or captured? (From February, 2022, before the in
Trivial (Score:2)

by bjoast ( 1310293 ) writes:

It seems to be as straight forward as presenting the SNI and Host header of the malicious target domain while making a connection to a CDN edge node fronting the malicious service. While they do go into a few closely related scenarios describing how to bypass or fool detection methods based on domain name blacklists, that seems to be the essence of it. The technique essentially amounts to (1) performing a domain name lookup to a benign service hosted behind a CDN, then (2) making a connection to the resolve
Repeat after me (Score:2)

by gweihir ( 88907 ) writes:

DNS is not secure. Internet IP addresses are not identities (for internal ones, YMMV). Do not rely on either.
Unsurprising, To Me. (Score:4, Insightful)

by SlashbotAgent ( 6477336 ) writes: on Sunday May 24, 2026 @09:44AM (#66158302)

This is quite unsurprising to me. I've always regarded CDNs as a problem and more recently I've added the hyper scalers to the problem list.
DNS filtering a is a waste of time when we have to trust massive blocks of IPs that should not be trusted and when DNS records can flux(change) instantly and constantly.
This is just one area where we seem to trust the infrastructure because we're stupid or no one has gotten around to exploiting obvious weaknesses, yet.
Don't even get me started on Docker repos and/or people's eagerness to
# curl -fsSL https // randomshit.site/InstallUnknownSource.sh | bash
What the absolute fuck?

Reply to This Share
Flag as Inappropriate
- Re: (Score:2)
  
  by PPH ( 736903 ) writes:
  
  Right. A while back, CloudFlare was doing its "are you human" tests*. And then failing mid-test when it couldn't pull some stuff from an untrusted site (something like error-report.com, IIRC). Reason for the failure? That site had been identified by my (very consientious) ISP as a malware source and blocked.
  *Actually, more of an "are you runing JavaScript, so our customers can upload some annoying tracking crap to your machine" test.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

'Underminr' CDN Vulnerability Hides Malicious Traffic Behind Trusted Domains (securityweek.com) 14

'Underminr' CDN Vulnerability Hides Malicious Traffic Behind Trusted Domains More | Reply Login

'Underminr' CDN Vulnerability Hides Malicious Traffic Behind Trusted Domains

The whole internet is full of backdoors (Score:3)

Re: (Score:3)

Re: (Score:2)

Re: (Score:2)

Trivial (Score:2)

Repeat after me (Score:2)

Unsurprising, To Me. (Score:4, Insightful)

Re: (Score:2)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot