• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Sitting Ducks attack technique exposes over a million domains to hijacking

Sitting Ducks attack technique exposes over a million domains to hijacking

Pierluigi Paganini August 02, 2024

Researchers warn of an attack vector in the DNS, called the Sitting Ducks, that exposes over a million domains to hackers’ takeover.

Researchers from Eclypsium and Infoblox have identified an attack vector in the domain name system (DNS), dubbed the Sitting Ducks attack. Over a dozen Russian-linked cybercriminal groups exploited this attack technique to carry out a stealth domain name hijacking. The attack method impacts over a million target domains daily, and is characterized by its ease of execution, minimal recognition, difficulty in detection, but is entirely preventable.

In a Sitting Ducks attack scenario, threat actors take control of a registered domain at an authoritative DNS service or web hosting provider without accessing the domain owner’s accounts. This allows the attacker to perform malicious activities, such as malware distribution, phishing, brand impersonation, and data theft.

The researcher Matt Bryant first detailed the attack vector in 2016 [1,2]]. Two years after the initial disclosure of the technique, threat actors started using it to hijack thousands of domains employed in global spam campaigns that included bomb threats and sextortion.

“Eight years after it was first published, the attack vector is largely unknown and unresolved. Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.5 At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognized in the security industry.” reads the report published by Infoblox. “At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and the inadequate prevention at the DNS provider, both of which are solvable problems.”

The researchers reported that there are several variants of the Sitting Ducks attack that do not require attackers to register their own domains, unlike traditional DNS hijacking. The attack can occur when:

  1. A registered domain or subdomain uses a different authoritative DNS provider than its domain registrar (delegation).
  2. The delegation is lame, meaning the authoritative DNS servers lack information to resolve queries.
  3. The authoritative DNS provider is exploitable, allowing attackers to claim and set up DNS records without accessing the domain registrar’s account.

Variations include partially lame delegations and redelegations to other DNS providers.

“Although a Sitting Ducks attack is easy at many popular DNS and website hosting providers, some providers are not exploitable. We performed a large-scale analysis of domain delegations, evaluated about a dozen DNS providers and uncovered widespread use of the attack, most prominently by Russian cybercriminals. Hundreds of domains are hijacked every day, and Infoblox is tracking multiple actors who use this attack.” continues the report. “We found hijacked and exploitable domains across hundreds of TLDs. Hijacked domains are often registered with brand protection registrars; in many cases, they are lookalike domains that were likely defensively registered by legitimate brands or organizations. Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect.”

Sitting Ducks

The researchers pointed out that the Sitting Ducks attack technique is preventable due to gaps in the management and authorization of domain names and DNS records. Domain holders, registrars, DNS providers, web hosting services, standards bodies, regulators, and the cybersecurity community must collaborate to prevent such attacks.

Eclypsium experts recommend that domain owners do the following:

  • Check whether you use an authoritative DNS provider independent of your domain registrar. A Sitting Ducks attack exploits confusion between these two different providers. Therefore, if you use the same provider for both, you are not at risk for a Sitting Ducks attack. 
  • Check whether your domains and subdomains have name server delegation to service providers where accounts have expired or are otherwise invalid. A Sitting Ducks attack exploits these invalid accounts to claim control over a domain from a current/valid account.
  • Check with your DNS provider to inquire how the provider explicitly mitigates this attack. If your provider has deployed mitigations, you are not at significant risk for a Sitting Ducks attack. 
  • The non-profit Shadowserver Foundation has established a monitoring service that can help domain owners determine if they have issues like this one, and will soon do daily reports to signed up users.

For DNS service providers, researchers recommend the following mitigations:

  • In order to claim a domain name, issue the account holder a random name server host that requires a change at the registrar. This helps verify ownership.
  • Ensure that the newly assigned name server hosts do not match previous name server assignments. This avoids edge cases that may break the above verification.
  • Do not allow the account holder to modify the name server hosts after their assignment. This complicates hijacking attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DNS)


facebook linkedin twitter

Cybercrime data breach DNS Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Sitting Ducks

you might also like

Pierluigi Paganini July 06, 2025
Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more
Pierluigi Paganini July 05, 2025
North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 06, 2025

    North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

    Malware / July 05, 2025

    Critical Sudo bugs expose major Linux distros to local Root exploits

    Security / July 04, 2025

    Google fined $314M for misusing idle Android users' data

    Laws and regulations / July 04, 2025

    A flaw in Catwatchful spyware exposed logins of +62,000 users

    Malware / July 04, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT