A new type of DNS attack puts millions of domains at risk of malware and hijacking, a recent report finds.
A joint analysis by Infoblox and Eclypsium has uncovered that over a million domains are at risk of being hijacked through a potent cyberattack method known as the Sitting Ducks attack. This sophisticated attack vector exploits vulnerabilities in the domain name system (DNS) to allow malicious actors to stealthily take control of domains without accessing the legitimate owner’s account.
The Mechanics of a Sitting Ducks Attack
A Sitting Ducks attack involves cybercriminals hijacking a registered domain at an authoritative DNS service or web hosting provider without needing access to the legitimate owner’s account at either the DNS provider or registrar. This method is easier to execute, has a higher success rate, and is more challenging to detect compared to other known domain hijacking techniques, such as dangling CNAMEs.
Once a domain is hijacked, it can be exploited for various malicious purposes, including distributing malware and conducting spam campaigns, leveraging the trust associated with the legitimate owner.
Historical Context and Current Exploitation of the Sitting Ducks
The technique was first detailed by The Hacker Blog in 2016, yet it remains a largely unknown and unresolved threat. Since 2018, more than 35,000 domains are estimated to have been compromised using this method. Infoblox’s vice president of threat intelligence, Dr. Renee Burton, noted the surprising lack of awareness about this threat among clients, who often inquire about dangling CNAME attacks but rarely about Sitting Ducks hijacks.
Contributing Factors and Attack Execution
The Sitting Ducks attack capitalizes on incorrect configurations at the domain registrar and insufficient ownership verification at the authoritative DNS provider. The attack also relies on the nameserver’s inability to respond authoritatively for a domain it’s listed to serve, known as lame delegation. If the authoritative DNS service for a domain expires, an attacker can create an account with the provider, claim ownership, and ultimately impersonate the brand to distribute malware.
Dr. Burton further elaborated that there are multiple variations of the Sitting Ducks attack, including scenarios where a domain is registered and delegated but not configured at the provider.
This attack vector has been weaponized by numerous threat actors, including over a dozen Russian-nexus cybercriminal groups. The stolen domains have fueled multiple traffic distribution systems (TDSes) such as 404 TDS (aka Vacant Viper) and VexTrio Viper, and have been used in various malicious activities, including bomb threat hoaxes and sextortion scams, an activity cluster tracked as Spammy Bear.
Mitigation and Recommendations
To safeguard against Sitting Ducks attacks, organizations are advised to regularly audit their domain portfolios for lame delegations and ensure their DNS providers have robust protections against such exploits. Dr. Burton emphasized the importance of vigilance, advising organizations to check the domains they own to see if any are lame and to use DNS providers that offer protection against Sitting Ducks.
As this attack technique continues to evolve and exploit DNS vulnerabilities, it is crucial for domain owners and cybersecurity professionals to stay informed and implement proactive measures to protect their digital assets.