• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Sitting Ducks attack technique exposes over a million domains to hijacking

Sitting Ducks attack technique exposes over a million domains to hijacking

Pierluigi Paganini August 02, 2024

Researchers warn of an attack vector in the DNS, called the Sitting Ducks, that exposes over a million domains to hackers’ takeover.

Researchers from Eclypsium and Infoblox have identified an attack vector in the domain name system (DNS), dubbed the Sitting Ducks attack. Over a dozen Russian-linked cybercriminal groups exploited this attack technique to carry out a stealth domain name hijacking. The attack method impacts over a million target domains daily, and is characterized by its ease of execution, minimal recognition, difficulty in detection, but is entirely preventable.

In a Sitting Ducks attack scenario, threat actors take control of a registered domain at an authoritative DNS service or web hosting provider without accessing the domain owner’s accounts. This allows the attacker to perform malicious activities, such as malware distribution, phishing, brand impersonation, and data theft.

The researcher Matt Bryant first detailed the attack vector in 2016 [1,2]]. Two years after the initial disclosure of the technique, threat actors started using it to hijack thousands of domains employed in global spam campaigns that included bomb threats and sextortion.

“Eight years after it was first published, the attack vector is largely unknown and unresolved. Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.5 At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognized in the security industry.” reads the report published by Infoblox. “At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and the inadequate prevention at the DNS provider, both of which are solvable problems.”

The researchers reported that there are several variants of the Sitting Ducks attack that do not require attackers to register their own domains, unlike traditional DNS hijacking. The attack can occur when:

  1. A registered domain or subdomain uses a different authoritative DNS provider than its domain registrar (delegation).
  2. The delegation is lame, meaning the authoritative DNS servers lack information to resolve queries.
  3. The authoritative DNS provider is exploitable, allowing attackers to claim and set up DNS records without accessing the domain registrar’s account.

Variations include partially lame delegations and redelegations to other DNS providers.

“Although a Sitting Ducks attack is easy at many popular DNS and website hosting providers, some providers are not exploitable. We performed a large-scale analysis of domain delegations, evaluated about a dozen DNS providers and uncovered widespread use of the attack, most prominently by Russian cybercriminals. Hundreds of domains are hijacked every day, and Infoblox is tracking multiple actors who use this attack.” continues the report. “We found hijacked and exploitable domains across hundreds of TLDs. Hijacked domains are often registered with brand protection registrars; in many cases, they are lookalike domains that were likely defensively registered by legitimate brands or organizations. Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect.”

Sitting Ducks

The researchers pointed out that the Sitting Ducks attack technique is preventable due to gaps in the management and authorization of domain names and DNS records. Domain holders, registrars, DNS providers, web hosting services, standards bodies, regulators, and the cybersecurity community must collaborate to prevent such attacks.

Eclypsium experts recommend that domain owners do the following:

  • Check whether you use an authoritative DNS provider independent of your domain registrar. A Sitting Ducks attack exploits confusion between these two different providers. Therefore, if you use the same provider for both, you are not at risk for a Sitting Ducks attack. 
  • Check whether your domains and subdomains have name server delegation to service providers where accounts have expired or are otherwise invalid. A Sitting Ducks attack exploits these invalid accounts to claim control over a domain from a current/valid account.
  • Check with your DNS provider to inquire how the provider explicitly mitigates this attack. If your provider has deployed mitigations, you are not at significant risk for a Sitting Ducks attack. 
  • The non-profit Shadowserver Foundation has established a monitoring service that can help domain owners determine if they have issues like this one, and will soon do daily reports to signed up users.

For DNS service providers, researchers recommend the following mitigations:

  • In order to claim a domain name, issue the account holder a random name server host that requires a change at the registrar. This helps verify ownership.
  • Ensure that the newly assigned name server hosts do not match previous name server assignments. This avoids edge cases that may break the above verification.
  • Do not allow the account holder to modify the name server hosts after their assignment. This complicates hijacking attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DNS)


facebook linkedin twitter

Cybercrime data breach DNS Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Sitting Ducks

you might also like

Pierluigi Paganini July 22, 2025
Cisco confirms active exploitation of ISE and ISE-PIC flaws
Read more
Pierluigi Paganini July 22, 2025
SharePoint under fire: new ToolShell attacks target enterprises
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

    APT / July 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT