Pierluigi Paganini August 02, 2024

Researchers warn of an attack vector in the DNS, called the Sitting Ducks, that exposes over a million domains to hackers’ takeover.

Researchers from Eclypsium and Infoblox have identified an attack vector in the domain name system (DNS), dubbed the Sitting Ducks attack. Over a dozen Russian-linked cybercriminal groups exploited this attack technique to carry out a stealth domain name hijacking. The attack method impacts over a million target domains daily, and is characterized by its ease of execution, minimal recognition, difficulty in detection, but is entirely preventable.

In a Sitting Ducks attack scenario, threat actors take control of a registered domain at an authoritative DNS service or web hosting provider without accessing the domain owner’s accounts. This allows the attacker to perform malicious activities, such as malware distribution, phishing, brand impersonation, and data theft.

The researcher Matt Bryant first detailed the attack vector in 2016 [1,2]]. Two years after the initial disclosure of the technique, threat actors started using it to hijack thousands of domains employed in global spam campaigns that included bomb threats and sextortion.

“Eight years after it was first published, the attack vector is largely unknown and unresolved. Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.⁵ At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognized in the security industry.” reads the report published by Infoblox. “At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and the inadequate prevention at the DNS provider, both of which are solvable problems.”

The researchers reported that there are several variants of the Sitting Ducks attack that do not require attackers to register their own domains, unlike traditional DNS hijacking. The attack can occur when:

1. A registered domain or subdomain uses a different authoritative DNS provider than its domain registrar (delegation).
2. The delegation is lame, meaning the authoritative DNS servers lack information to resolve queries.
3. The authoritative DNS provider is exploitable, allowing attackers to claim and set up DNS records without accessing the domain registrar’s account.

Variations include partially lame delegations and redelegations to other DNS providers.

“Although a Sitting Ducks attack is easy at many popular DNS and website hosting providers, some providers are not exploitable. We performed a large-scale analysis of domain delegations, evaluated about a dozen DNS providers and uncovered widespread use of the attack, most prominently by Russian cybercriminals. Hundreds of domains are hijacked every day, and Infoblox is tracking multiple actors who use this attack.” continues the report. “We found hijacked and exploitable domains across hundreds of TLDs. Hijacked domains are often registered with brand protection registrars; in many cases, they are lookalike domains that were likely defensively registered by legitimate brands or organizations. Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect.”

The researchers pointed out that the Sitting Ducks attack technique is preventable due to gaps in the management and authorization of domain names and DNS records. Domain holders, registrars, DNS providers, web hosting services, standards bodies, regulators, and the cybersecurity community must collaborate to prevent such attacks.

Eclypsium experts recommend that domain owners do the following:

• Check whether you use an authoritative DNS provider independent of your domain registrar. A Sitting Ducks attack exploits confusion between these two different providers. Therefore, if you use the same provider for both, you are not at risk for a Sitting Ducks attack. 
• Check whether your domains and subdomains have name server delegation to service providers where accounts have expired or are otherwise invalid. A Sitting Ducks attack exploits these invalid accounts to claim control over a domain from a current/valid account.
• Check with your DNS provider to inquire how the provider explicitly mitigates this attack. If your provider has deployed mitigations, you are not at significant risk for a Sitting Ducks attack. 
• The non-profit Shadowserver Foundation has established a monitoring service that can help domain owners determine if they have issues like this one, and will soon do daily reports to signed up users.

For DNS service providers, researchers recommend the following mitigations:

• In order to claim a domain name, issue the account holder a random name server host that requires a change at the registrar. This helps verify ownership.
• Ensure that the newly assigned name server hosts do not match previous name server assignments. This avoids edge cases that may break the above verification.
• Do not allow the account holder to modify the name server hosts after their assignment. This complicates hijacking attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DNS)