• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

The FBI warns that Scattered Spider is now targeting the airline sector

 | 

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Sitting Ducks attack technique exposes over a million domains to hijacking

Sitting Ducks attack technique exposes over a million domains to hijacking

Pierluigi Paganini August 02, 2024

Researchers warn of an attack vector in the DNS, called the Sitting Ducks, that exposes over a million domains to hackers’ takeover.

Researchers from Eclypsium and Infoblox have identified an attack vector in the domain name system (DNS), dubbed the Sitting Ducks attack. Over a dozen Russian-linked cybercriminal groups exploited this attack technique to carry out a stealth domain name hijacking. The attack method impacts over a million target domains daily, and is characterized by its ease of execution, minimal recognition, difficulty in detection, but is entirely preventable.

In a Sitting Ducks attack scenario, threat actors take control of a registered domain at an authoritative DNS service or web hosting provider without accessing the domain owner’s accounts. This allows the attacker to perform malicious activities, such as malware distribution, phishing, brand impersonation, and data theft.

The researcher Matt Bryant first detailed the attack vector in 2016 [1,2]]. Two years after the initial disclosure of the technique, threat actors started using it to hijack thousands of domains employed in global spam campaigns that included bomb threats and sextortion.

“Eight years after it was first published, the attack vector is largely unknown and unresolved. Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.5 At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognized in the security industry.” reads the report published by Infoblox. “At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and the inadequate prevention at the DNS provider, both of which are solvable problems.”

The researchers reported that there are several variants of the Sitting Ducks attack that do not require attackers to register their own domains, unlike traditional DNS hijacking. The attack can occur when:

  1. A registered domain or subdomain uses a different authoritative DNS provider than its domain registrar (delegation).
  2. The delegation is lame, meaning the authoritative DNS servers lack information to resolve queries.
  3. The authoritative DNS provider is exploitable, allowing attackers to claim and set up DNS records without accessing the domain registrar’s account.

Variations include partially lame delegations and redelegations to other DNS providers.

“Although a Sitting Ducks attack is easy at many popular DNS and website hosting providers, some providers are not exploitable. We performed a large-scale analysis of domain delegations, evaluated about a dozen DNS providers and uncovered widespread use of the attack, most prominently by Russian cybercriminals. Hundreds of domains are hijacked every day, and Infoblox is tracking multiple actors who use this attack.” continues the report. “We found hijacked and exploitable domains across hundreds of TLDs. Hijacked domains are often registered with brand protection registrars; in many cases, they are lookalike domains that were likely defensively registered by legitimate brands or organizations. Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect.”

Sitting Ducks

The researchers pointed out that the Sitting Ducks attack technique is preventable due to gaps in the management and authorization of domain names and DNS records. Domain holders, registrars, DNS providers, web hosting services, standards bodies, regulators, and the cybersecurity community must collaborate to prevent such attacks.

Eclypsium experts recommend that domain owners do the following:

  • Check whether you use an authoritative DNS provider independent of your domain registrar. A Sitting Ducks attack exploits confusion between these two different providers. Therefore, if you use the same provider for both, you are not at risk for a Sitting Ducks attack. 
  • Check whether your domains and subdomains have name server delegation to service providers where accounts have expired or are otherwise invalid. A Sitting Ducks attack exploits these invalid accounts to claim control over a domain from a current/valid account.
  • Check with your DNS provider to inquire how the provider explicitly mitigates this attack. If your provider has deployed mitigations, you are not at significant risk for a Sitting Ducks attack. 
  • The non-profit Shadowserver Foundation has established a monitoring service that can help domain owners determine if they have issues like this one, and will soon do daily reports to signed up users.

For DNS service providers, researchers recommend the following mitigations:

  • In order to claim a domain name, issue the account holder a random name server host that requires a change at the registrar. This helps verify ownership.
  • Ensure that the newly assigned name server hosts do not match previous name server assignments. This avoids edge cases that may break the above verification.
  • Do not allow the account holder to modify the name server hosts after their assignment. This complicates hijacking attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DNS)


facebook linkedin twitter

Cybercrime data breach DNS Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Sitting Ducks

you might also like

Pierluigi Paganini July 02, 2025
Cisco removed the backdoor account from its Unified Communications Manager
Read more
Pierluigi Paganini July 02, 2025
U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Cisco removed the backdoor account from its Unified Communications Manager

    Security / July 02, 2025

    U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

    Cyber Crime / July 02, 2025

    Qantas confirms customer data breach amid Scattered Spider attacks

    Cyber Crime / July 02, 2025

    CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

    Hacking / July 02, 2025

    U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 02, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT