Cyber security news for all

More

    Over One Million Domains Vulnerable to ‘Sitting Ducks’ Domain Hijacking Technique

    Over one million domains are at risk of being hijacked by cybercriminals through a newly highlighted attack vector known as the “Sitting Ducks” technique. This attack exploits weaknesses in the domain name system (DNS), allowing attackers to take over domains without needing access to the legitimate owner’s account at the DNS provider or registrar.

    A recent joint analysis by Infoblox and Eclypsium has exposed that more than a dozen Russian-affiliated cybercriminal groups are currently using this method to stealthily hijack domains. The “Sitting Ducks” technique is considered easier to execute, more successful, and harder to detect than other domain hijacking methods, such as those involving dangling CNAME records.

    Once a domain is hijacked, attackers can use it for malicious activities like distributing malware or conducting spam campaigns, leveraging the trust associated with the original domain owner.

    This insidious attack method was first documented by The Hacker Blog in 2016 but remains largely unaddressed today. Since 2018, over 35,000 domains have reportedly been hijacked using this technique.

    Dr. Renee Burton, vice president of threat intelligence at Infoblox, commented, “It’s puzzling that we often get inquiries about dangling CNAME attacks, but not about the Sitting Ducks hijack.”

    The attack exploits misconfigurations at domain registrars and authoritative DNS providers, especially when a nameserver cannot authoritatively respond for a domain it is supposed to serve, leading to a situation known as lame delegation. If an authoritative DNS service for a domain expires, attackers can exploit this vulnerability by creating an account with the provider and claiming ownership, impersonating the domain’s legitimate brand to spread malware.

    Burton explained, “There are several variations of the Sitting Ducks technique, including cases where a domain is registered, delegated, but not configured at the provider.”

    The hijacked domains have been used by various threat actors to fuel traffic distribution systems (TDSes) like 404 TDS (also known as Vacant Viper) and VexTrio Viper. These domains have also been used to spread bomb threat hoaxes and sextortion scams.

    To protect against this threat, organizations should review their domain configurations to ensure none are vulnerable to lame delegation and choose DNS providers with protections against Sitting Ducks attacks, Burton advised.

    Recent Articles

    Related Stories