Sitting Ducks DNS Attack Hijack 35,000 Domains

Threat actors have been exploiting the attack vector known as Sitting Ducks since at least 2019 to conduct malware delivery, phishing, brand impersonation, and data exfiltration by exploiting flaws in DNS.

This widespread flaw, affecting multiple DNS providers, enables domain hijacking without detection.

Besides this, the researchers from Infoblox and Eclypsium have unveiled this critical vulnerability in the DNS infrastructure.

As a result, researchers discovered that it affects around one million domains, leading to over 30,000 cases of confirmed hijacking due to poor domain verification by DNS providers.

Technical Analysis

Malware distribution, brand impersonation, data theft, and phishing all exploit this loophole in the security system.

Infoblox researchers collaborating with Eclypsium are working with law enforcement agencies and national CERTs to solve this critical security problem.

The Sitting Ducks attack, which was reported in 2016 but is still widely utilized, targets the security flaws of DNS infrastructure.

This method allows hackers to take over domains without hacking the owners’ accounts at registrars or DNS providers.

By exploiting misconfigurations within domain delegation, especially “lame” delegations, attackers can wrestle control of domains from vulnerable DNS providers.

Conditions for a Sitting Ducks Attack (Source – InfoBlox)

This technique surpasses traditional types of hijacking by being more effective and less detectable as it facilitates malware dissemination and data stealing using the legitimate-looking domains for phishing.

It is a favorite tool for Russian threat actors, affecting an estimated million-plus daily on various TLDs.

This attack has mainly remained unresolved due to its great severity,

even putting into compromise brand protection registered domains that make detection difficult as they look genuine.

A common Sitting Ducks attack sequence (Source – InfoBlox)

Exploitations of DNS vulnerabilities by Sitting Ducks involve domain hijacking without requiring access to the owner accounts. 

This preventable threat stems from domain and DNS record management gaps across the industry. 

Since 2018, more than twelve Russian-linked cyber-gangs have exploited this method to grab at least 35000 domain names. 

According to the report, these attackers normally view weak DNS providers as “domain lending libraries,” where control over the taken-over domains is rotated every 30-60 days to evade detection. 

Such compromised domains serve as platforms for various malicious activities, such as traffic distribution systems (TDS) like VexTrio and 404TDS, malware-spreading campaigns, phishing campaigns, and scams targeting multiple countries. 

This vulnerability was first discovered and reported on in 2016 however it has never been fixed properly which demonstrates how critical but often neglected Domain Name System (DNS) security is for cybersecurity deployments. 

Mitigating this situation will require combined efforts from holders of domains, registrars, DNS providers, regulatory bodies, and the wider community involved in cybersecurity issues. 

How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide

Recommendations

Here below we have mentioned all the recommendations:-

  • Use a separate authoritative DNS provider from your domain registrar.
  • Check for invalid name server delegations.
  • Confirm DNS provider mitigations against Sitting Ducks attacks.
  • Use Shadowserver’s monitoring service for domain issues.
  • For DNS providers, assign random name server hosts for verification.
  • Ensure new name servers don’t match previous ones.
  • Block modifications to assigned name server hosts.

The post Sitting Ducks DNS Attack Hijack 35,000 Domains appeared first on Cyber Security News.