Attack Surface Discovery: We Found 47 Forgotten Subdomains — 12 Were Vulnerable

Background

A regional bank's IT team believed they had a comprehensive inventory of their external-facing assets. As part of an annual security assessment, they engaged TraxinteL for an external attack surface audit.

Investigation Methodology

1. DNS Enumeration: We performed comprehensive subdomain enumeration using passive DNS databases, certificate transparency logs, and historical DNS records.
2. Service Fingerprinting: All discovered domains and subdomains were scanned for running services, software versions, and configuration details.
3. Vulnerability Assessment: Identified services were cross-referenced against known vulnerability databases for exploitable weaknesses.

Key Findings

• 47 subdomains were discovered that were not in the bank's asset inventory — remnants of old projects, test environments, and shadow IT deployments.
• 12 of these subdomains had critical vulnerabilities: outdated WordPress installations, exposed admin panels, and unpatched web servers.
• 3 subdomains were running unauthorized SaaS platforms deployed by individual departments without IT approval.
• One subdomain hosted a forgotten development environment containing a copy of the production customer database from 2022.

Outcome

All 47 subdomains were cataloged and triaged. The 12 vulnerable systems were patched or decommissioned within 72 hours. The exposed development database was immediately secured and wiped. Total investigation time: 1 week.