More than a million domains are at risk of being taken over by malicious entities using what is known as a Sitting Ducks technique.
The potent attack approach, which capitalizes on vulnerabilities in the domain name system (DNS), is currently being abused by multiple Russian-associated cybercriminal groups to clandestinely seize control of domains, as per a collaborative study published by Infoblox and Eclypsium.
“In a Sitting Ducks attack, perpetrators take control of a domain already registered at an authoritative DNS service or web hosting provider without requiring access to the legitimate owner’s account at either the DNS provider or registrar,” stated the researchers.
“Sitting Ducks is a less complicated and more likely to succeed attack method, which also makes it harder to detect compared to other widely known domain hijacking strategies, such as dangling CNAMEs.”
Once a domain is illicitly taken over by threat actors, they can exploit it for malicious purposes such as distributing malware and engaging in spam activities, thereby capitalizing on the trust associated with the legitimate owner.
Information about this “insidious” attack methodology was originally initially detailed by The Hacker Blog in 2016, but it remains largely undisclosed and unresolved to this day. It is estimated that more than 35,000 domains have been hijacked since 2018.
“It remains a puzzle to us,” commented Dr. Renee Burton, who serves as the vice president of threat intelligence at Infoblox, to The Hacker News. “While we often receive inquiries from potential clients regarding dangling CNAME attacks, which are essentially hijacks of overlooked records, we have never encountered a query about a Sitting Ducks hijack.”
The crux of the issue lies in the incorrect setup at the domain registrar and the inadequate validation of ownership at the authoritative DNS provider, compounded by the fact that the nameserver is unable to give authoritative responses for a domain it is designated to manage (i.e., lame delegation).
Furthermore, it necessitates the exploitable nature of the authoritative DNS provider, allowing the attacker to stake a claim to the domain at the assigned authoritative DNS provider without having access to the genuine owner’s account at the domain registrar.
In such a scenario, if the authoritative DNS service for the domain lapses, the malicious actor could register an account with the provider and assert ownership of the domain, eventually assuming the identity of the brand connected to the domain to distribute malware.
“There exist several variations [of Sitting Ducks], including cases where a domain is registered, delegated, yet not configured at the provider,” Burton pointed out.
Over the years, the Sitting Ducks attack has been weaponized by diverse threat groups, with the stolen domains being utilized to power various traffic distribution systems (TDSes) such as 404 TDS (also known as Vacant Viper) and VexTrio Viper. It has also been leveraged to disseminate bomb threat hoaxes and sextortion scams, with this cluster of activities being tracked as Spammy Bear.
“Enterprises should inspect the domains they own for any instances of lame configuration and opt for DNS providers offering safeguards against Sitting Ducks,” recommended Burton.
About Author
