Over a million domains are at risk of being targeted in a malicious attack known as Sitting Ducks.
A collaborative analysis by Infoblox and Eclypsium has exposed how more than a dozen Russian-linked cybercriminal groups are using this powerful attack to hijack domains stealthily by exploiting vulnerabilities in the domain name system (DNS).
The researchers described the attack as follows: “In a Sitting Ducks attack, the perpetrator seizes a registered domain at an authoritative DNS service or web hosting provider without needing access to the true owner’s account at either the DNS provider or registrar.”
This attack is easier to execute, has a higher chance of success, and is harder to detect compared to other well-known domain hijacking techniques such as dangling CNAMEs.
Once a domain is compromised, threat actors can use it for various malicious activities like serving malware and sending spam emails, taking advantage of the credibility associated with the legitimate domain owner.
The details of this “insidious” attack method were first revealed in 2016 by The Hacker Blog, but it remains largely unknown and unresolved. It is estimated that over 35,000 domains have been hijacked since 2018.
“We often get inquiries from potential clients about dangling CNAME attacks, but the Sitting Ducks hijack is still a mystery to many,” said Dr. Renee Burton, vice president of threat intelligence at Infoblox.
The vulnerability lies in the misconfiguration of the domain registrar and authoritative DNS provider, as well as in the inability of the nameserver to provide authoritative responses for the domain it serves (known as lame delegation).
The attack also relies on exploitable vulnerabilities in the authoritative DNS provider, enabling the attacker to claim domain ownership without accessing the legitimate owner’s registrar account.
In case the authoritative DNS service expires, the threat actor can create an account with the provider, claim the domain, and impersonate the legitimate brand to distribute malware.
“There are different versions of Sitting Ducks, including scenarios where a domain is registered and delegated but not configured,” Burton explained.
Various threat actors have weaponized the Sitting Ducks attack, using stolen domains to power traffic distribution systems like 404 TDS and VexTrio Viper, as well as to spread bomb threats and extortion scams.
Organizations are urged to review their domains for vulnerabilities and use DNS providers that offer protection against Sitting Ducks attacks, according to Burton.
