A recent joint analysis by cybersecurity firms Infoblox and Eclypsium has unveiled a concerning vulnerability in the domain name system (DNS), leading to what is known as a Sitting Ducks attack. This potent attack vector, exploited by numerous Russian-linked cybercriminal groups, enables the stealthy hijacking of domains without accessing the legitimate owner’s accounts at DNS providers or registrars.
In a Sitting Ducks attack, threat actors seize control of a registered domain at an authoritative DNS service or web hosting provider, bypassing the actual owner’s accounts. This method proves to be more straightforward, higher in success probability, and harder to detect compared to other well-known domain hijacking techniques like dangling CNAMEs.
Upon takeover by malicious actors, the compromised domains become conduits for various malicious activities, including malware dissemination, spam campaigns, and exploitation of the trust associated with the legitimate owners.
While the “pernicious” nature of Sitting Ducks was initially documented by The Hacker Blog in 2016, it remains relatively obscure and unresolved. Reports suggest that more than 35,000 domains have fallen victim to this attack since 2018.
Dr. Renee Burton, Vice President of Threat Intelligence at Infoblox, expressed bewilderment over the prevalent lack of awareness regarding Sitting Ducks attacks within the cybersecurity realm. She emphasized the critical role of correct domain registrar configuration, robust ownership verification at authoritative DNS providers, and the imperative need for secure nameserver responses to thwart such attacks.
The vulnerability hinges on erroneous configurations at domain registrars, lax ownership verification at authoritative DNS services, and exploitable DNS providers that enable attackers to illegitimately claim domain ownership. In a malicious scenario, if the authoritative DNS service expires, threat actors can exploit the situation by assuming domain ownership, potentially impersonating the legitimate brand to propagate malware.
The Sitting Ducks attack has been weaponized by various threat actors to power traffic distribution systems like 404 TDS and VexTrio Viper, besides fueling malicious activities such as bomb threat hoaxes and sextortion scams under the moniker Spammy Bear.
In light of these threats, Dr. Burton advises organizations to conduct thorough assessments of their domain portfolios to identify vulnerabilities and opt for DNS providers equipped to counter Sitting Ducks attacks effectively. Vigilance and proactive security measures are crucial to safeguard against these stealthy domain hijacking tactics.
You Might Be Interested In