Aug 01, 2024Ravie LakshmananVulnerability / Threat Intelligence

Over a million domains are susceptible to takeover by malicious actors by means of what has been called a Sitting Ducks attack.

The powerful attack vector, which exploits weaknesses in the domain name system (DNS), is being exploited by over a dozen Russian-nexus cybercriminal actors to stealthily hijack domains, a joint analysis published by Infoblox and Eclypsium has revealed.

“In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner’s account at either the DNS provider or registrar,” the researchers said.

“Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.”

Once a domain has been taken over by the threat actor, it could be used for all kinds of nefarious activities, including serving malware and conducting spams, while abusing the trust associated with the legitimate owner.

Details of the “pernicious” attack technique were first documented by The Hacker Blog in 2016, although it remains largely unknown and unresolved to date. More than 35,000 domains are estimated to have been hijacked since 2018.

“It is a mystery to us,” Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. “We frequently receive questions from prospective clients, for example, about dangling CNAME attacks which are also a hijack of forgotten records, but we have never received a question about a Sitting Ducks hijack.”

At issue is the incorrect configuration at the domain registrar and the authoritative DNS provider, coupled with the fact that the nameserver is unable to respond authoritatively for a domain it’s listed to serve (i.e., lame delegation).

It also requires that the authoritative DNS provider is exploitable, permitting the attacker to claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner’s account at the domain registrar.

In such a scenario, should the authoritative DNS service for the domain expire, the threat actor could create an account with the provider and claim ownership of the domain, ultimately impersonating the brand behind the domain to distribute malware.

“There are many variations [of Sitting Ducks], including when a domain has been registered, delegated, but not configured at the provider,” Burton said.

The Sitting Ducks attack has been weaponized by different threat actors, with the stolen domains used to fuel multiple traffic distribution systems (TDSes) such as 404 TDS (aka Vacant Viper) and VexTrio Viper. It has also been leveraged to propagate bomb threat hoaxes and sextortion scams.

“Organizations should check the domains they own to see if any are lame and they should use DNS providers that have protection against Sitting Ducks,” Burton said.