More than a million domains are susceptible to hijacking by attackers using the so-called a Ducks are sitting attack.
A powerful attack vector exploiting weaknesses in the Domain Name System (DNS) is being used by more than a dozen Russian cybercriminals to secretly hijack domains, a joint analysis published Info block and Eclipse discovered.
“In a Sitting Ducks attack, an actor hijacks a registered domain from an authoritative DNS service or web hosting provider without accessing the real owner’s account on any DNS provider or recorder,” the researchers said.
“Sitting Ducks are easier to execute, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors such as dangling CNAMEs.”
Once a domain has been hijacked by a threat actor, it can be used for all kinds of nefarious activities, including serving malware and sending spam, abusing the trust associated with the legitimate owner.
There were details of the technique of the “pernicious” attack the first documented Hacking Blog in 2016, although it remains largely unknown and unsolved to this day. It is estimated that more than 35,000 domains have been hijacked since 2018.
“It’s a mystery to us,” Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. “We often get questions from potential customers about things like hanging CNAME attacks, which are also forgotten record hijackings, but we’ve never gotten a question about the Sitting Ducks hijacking.”
It’s a misconfiguration at the domain registrar and the authoritative DNS provider combined with the name server not being able to authoritatively respond to the domain it’s supposed to serve (e.g. lame delegation).
It also requires the authoritative DNS provider to be operational, allowing an attacker to claim ownership of a domain from the delegated authoritative DNS provider without having access to the actual owner account at the domain registrar.
In this case, if the authoritative DNS service for a domain expires, a threat actor can create an account with the provider and claim ownership of the domain, ultimately impersonating the brand behind the domain to distribute malware.
“There are many options for (Sitting Ducks), including if the domain has been registered, delegated, but not set up with a provider,” Burton said.
The Sitting Ducks attack has been used by various threat actors and the stolen domains have been used to power several Traffic Distribution Systems (TDS) such as 404 TDS (aka Vacant Viper) and VexTrio Viper. It was also used for to spread bomb threats and extortion fraud.
“Organizations should check the domains they own to see if there are any lame ones, and they should use DNS providers that have protection against Sitting Ducks,” Burton said.
