Over 1 Million Domains Vulnerable to New ‘Sitting Ducks’ Domain Hijacking Technique

domain hijack sitting duck

The cybersecurity landscape has been shaken by a newly identified threat targeting over a million domains. Known as the Sitting Ducks attack, this technique exploits vulnerabilities in the domain name system (DNS), allowing cybercriminals to hijack domains without accessing the true owner’s account. A joint analysis by Infoblox and Eclypsium has revealed that over a dozen cybercriminal groups with Russian connections are actively leveraging this powerful attack vector.

What is the Sitting Ducks Attack?

The Sitting Ducks attack represents a sophisticated and stealthy method for domain hijacking. Unlike traditional domain hijacking techniques that require access to the domain owner’s account at a DNS provider or registrar, the Sitting Ducks method bypasses this necessity entirely. According to the researchers from Infoblox and Eclypsium, “In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner’s account at either the DNS provider or registrar.”

Why is it Dangerous?

Once a domain has been commandeered by an attacker, it can be exploited for various malicious activities. These include serving malware, conducting spam campaigns, and generally abusing the trust associated with the legitimate owner. This makes the Sitting Ducks attack particularly dangerous as it is not only easier to perform and more likely to succeed than other well-known domain hijacking techniques, but it is also significantly harder to detect.

Historical Context and Current Impact

The concept of the Sitting Ducks attack is not new. It was first documented by The Hacker Blog in 2016. Despite this, the attack vector has remained largely unknown and unresolved. Since 2018, it is estimated that more than 35,000 domains have been hijacked using this method.

Dr. Renee Burton, Vice President of Threat Intelligence at Infoblox, expressed surprise at the lack of awareness about this attack. “It is a mystery to us. We frequently receive questions from prospective clients, for example, about dangling CNAME attacks which are also a hijack of forgotten records, but we have never received a question about a Sitting Ducks hijack,” she told The Hacker News.

Technical Details

At the heart of the Sitting Ducks attack is an incorrect configuration at the domain registrar and the authoritative DNS provider. The attack exploits a situation known as lame delegation, where the nameserver is unable to respond authoritatively for a domain it is listed to serve. This, coupled with an exploitable authoritative DNS provider, allows an attacker to claim ownership of the domain without needing access to the valid owner’s account at the registrar.

If the authoritative DNS service for a domain expires, a threat actor can create an account with the provider and claim ownership of the domain. This allows them to impersonate the brand behind the domain, potentially distributing malware or conducting other malicious activities.

beware

Real-World Implications

The Sitting Ducks attack has been weaponized by various threat actors, with stolen domains fueling multiple traffic distribution systems (TDSes) such as 404 TDS (also known as Vacant Viper) and VexTrio Viper. These systems have been used for distributing bomb threat hoaxes and sextortion scams, among other nefarious activities.

Mitigation Strategies

To protect against the Sitting Ducks attack, organizations need to take proactive measures. Dr. Burton advises organizations to check the domains they own to identify any that are improperly configured. “Organizations should check the domains they own to see if any are lame and they should use DNS providers that have protection against Sitting Ducks,” she said.

Ensuring that the authoritative DNS provider has robust security measures in place is critical. This includes using DNS providers that can protect against such vulnerabilities and regularly auditing DNS configurations to prevent exploitation.

Conclusion

The Sitting Ducks attack is a reminder of the ever-evolving nature of cyber threats and the importance of vigilance in cybersecurity practices. With over a million domains potentially at risk, understanding and mitigating this threat is crucial for maintaining the integrity and security of the internet. As cybercriminals continue to refine their techniques, staying informed and prepared is the best defense against such sophisticated attacks.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

5 thoughts on “Over 1 Million Domains Vulnerable to New ‘Sitting Ducks’ Domain Hijacking Technique”

  1. Usually I do not read article on blogs however I would like to say that this writeup very compelled me to take a look at and do it Your writing style has been amazed me Thank you very nice article

  2. My brother recommended I might like this web site He was totally right This post actually made my day You cannt imagine just how much time I had spent for this information Thanks

  3. Temp mail I’m often to blogging and i really appreciate your content. The article has actually peaks my interest. I’m going to bookmark your web site and maintain checking for brand spanking new information.

  4. Nice blog here Also your site loads up fast What host are you using Can I get your affiliate link to your host I wish my web site loaded up as quickly as yours lol

Comments are closed.

Scroll to Top