Researchers from\u00a0Eclypsium<\/a> and Infoblox<\/a> have identified an attack vector in the domain name system (DNS), dubbed the Sitting Ducks attack. Over a dozen Russian-linked cybercriminal groups exploited this attack technique to carry out a stealth domain name hijacking. The attack method impacts over a million target domains daily, and is characterized by its ease of execution, minimal recognition, difficulty in detection, but is entirely preventable.<\/p>\n\n\n\n
The researcher Matt Bryant first detailed the attack vector in 2016 [1<\/a>,2<\/a>]].\u00a0Two years after the initial disclosure of the technique, threat actors started using it to hijack thousands of domains employed in global spam campaigns that included bomb threats and sextortion<\/a>.
“Eight years after it was first published, the attack vector is largely unknown and unresolved. Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.5<\/sup>\u00a0At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognized in the security industry.” reads the report<\/a> published by Infoblox. “At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and the inadequate prevention at the DNS provider, both of which are solvable problems.”<\/em><\/p>\n\n\n\n
Variations include partially lame delegations and redelegations to other DNS providers.
“Although a Sitting Ducks attack is easy at many popular DNS and website hosting providers, some providers are not exploitable. We performed a large-scale analysis of domain delegations, evaluated about a dozen DNS providers and uncovered widespread use of the attack, most prominently by Russian cybercriminals. Hundreds of domains are hijacked every day, and Infoblox is tracking multiple actors who use this attack.” continues the report. “We found hijacked and exploitable domains across hundreds of TLDs. Hijacked domains are often registered with brand protection registrars; in many cases, they are lookalike domains that were likely defensively registered by legitimate brands or organizations. Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect.”<\/em><\/p>\n\n\n\n