Cybercriminal actors [1] [4] [5] [6] [8], including a group of Russian hackers, have been exploiting a critical vulnerability within the Domain Name System (DNS) known as the ‘Sitting Ducks’ attack since at least 2019.
Description
This method targets DNS providers through lame delegation and insufficient validation of domain ownership [7], allowing attackers to claim domains without needing access to the legitimate owner’s account [2] [7]. The attack, first documented in 2016 by security researcher Matt Bryant, is easier to perform [4], more likely to succeed [4] [6], and harder to detect than other domain hijacking methods [4] [6] [7]. Researchers at Infoblox and Eclypsium have confirmed over 30,000 hijacked domains and estimate that there are more than one million exploitable domains. The attack is made possible when a domain is registered with one authoritative DNS provider and configured to use a different DNS provider for name service [3], with lame delegation and exploitable DNS providers enabling the attack [3]. Lame delegation occurs when a name server lacks information to provide authoritative DNS records [3], allowing attackers to register the assigned name server domain and gain access to all domains pointing to it [3]. Dangling DNS records and domain shadowing attacks are also exploited [3]. Recommendations for preventing the Sitting Ducks attack include ensuring DNS providers require domain ownership verification [7], monitoring for lame delegations [7], using an authoritative DNS provider independent of the domain registrar [3], checking for invalid name server delegation [3], and inquiring with DNS providers about mitigation measures [3]. Efforts are being made to implement solutions to prevent these attacks [1], such as domain verification systems [1]. Organizations are urged to check for vulnerable domains and use DNS providers with protection against Sitting Ducks [4]. The attack remains largely unknown and is entirely preventable, highlighting the need for coordinated efforts to address internet infrastructure insecurity [3]. Domain owners are advised to assess their risk [5], particularly for domains older than 10 years [5], and follow recommendations provided by researchers [5]. A recent investigation by Infoblox and Eclypsium has revealed a vulnerability in over a million domains [2], exposing them to the Sitting Ducks attack [2], exploited by cybercriminal groups linked to Russia [2]. This attack takes advantage of DNS weaknesses to hijack domains without needing access to the legitimate owner’s account [2]. Since 2018 [1] [2] [8], over 35,000 domains have been compromised using this technique [2], which remains largely unknown and unresolved [2] [4] [7]. Cybercriminals have weaponized hijacked domains for various malicious activities [2], including powering traffic distribution systems and propagating scams [2]. Organizations are advised to audit their domains for vulnerabilities and use DNS providers with safeguards against Sitting Ducks attacks to protect their brand and prevent domain misuse by cybercriminals [2]. Major cloud providers like AWS [6], Google [6], and Digital Ocean have also been targeted by this DNS vulnerability, further emphasizing the threat it poses to domain owners and users interacting with affected sites online.
Conclusion
The Sitting Ducks attack poses a significant threat to internet security, with cybercriminals exploiting DNS vulnerabilities to hijack domains for malicious purposes. Organizations must take proactive measures to protect their domains and mitigate the risk of falling victim to this attack. Collaboration between domain owners, DNS providers [1] [2] [3] [4] [5] [7], and security researchers is essential to address the ongoing threat posed by the Sitting Ducks attack and safeguard the integrity of the internet infrastructure.
References
[1] https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/
[2] https://rhyno.io/blogs/cybersecurity-news/over-a-million-domains-exposed-to-hijacking/
[3] https://securityboulevard.com/2024/07/ducks-now-sitting-dns-internet-infrastructure-insecurity/
[4] https://thehackernews.com/2024/08/over-1-million-domains-at-risk-of.html
[5] https://www.darkreading.com/vulnerabilities-threats/sitting-ducks-attacks-create-hijacking-threat-for-domain-name-owners
[6] https://cyber.vumetric.com/security-news/2024/07/31/russia-takes-aim-at-sitting-ducks-domains-bags-30000/
[7] https://www.techradar.com/pro/security/russian-cybercriminals-are-hijacking-domain-names-with-thousands-of-sites-already-taken-over
[8] https://www.tweaktown.com/news/99672/russia-affiliated-criminals-use-sitting-duck-technique-to-bag-30-000-domains/index.html