Over a Million Domains at Risk Due to Sitting Ducks Exploit

The Sitting Ducks attack has just been identified as a new vector in the domain name system (DNS) that more than a dozen cybercriminal groups linked to Russian interests use in attempts to stealthily hijack domain names. It’s simple to carry out, hard to detect, and difficult to recognize: this affects over a million targeted domains every day. It’s totally preventable with proper measures. In a Sitting Ducks attack, threat actors can take over a registered domain at an authoritative DNS service or web hosting provider without having to access the accounts of the owner of the domain. Such an incident allows for a number of cyber incidents that enable different types of threats such as distributing malware, phishing, impersonating brands, and stealing data.

Researchers initially published the attack vector in 2016. It was only after two years that the threat actors began to hijack thousands of the domain, which they had subsequently used it in bomb threats and sextortion global spam campaigns. However, this known since eight years ago, Sitting Ducks attack is still more under resolve and under-detected than acknowledged by the industry. It is easier to perform, more likely to succeed, and harder to detect compared to other domain hijacking vectors like dangling CNAMEs. In fact, researchers have observed that the use of this attack has been growing steadily over the years—exploiting users globally—due to incorrect configurations at domain registrars and inadequate prevention measures at DNS providers.

Researchers have found some variants of the Sitting Ducks attack that do not require attackers to register a domain and thereby are fundamentally different from typical DNS hijacking. For instance, many attack scenarios exist where a registered domain or subdomain uses a different authoritative DNS provider than its domain registrar in the case of a delegation or where the delegation is lame. This means that authoritative DNS servers lack information and cannot resolve queries. Or it might take the case where an authoritative DNS provider is exploitable to such an extent that the attacker could claim and set up DNS records without gaining access to the account of the domain registrar. Other miscellaneous permutations include partly lamed delegations and re-delegations to other DNS providers.

In Infoblox’s report, researchers concluded that, although the Sitting Ducks attack can be easily achieved with a large number of typical DNS and Web hosting providers, there is a proportion of providers which the attack cannot be executed. The researchers assessed approximately a dozen various DNS service providers through large-scale domain delegation studies, and determined rampant utilization of the attack, frequently using Russian cybercriminals.

Hundreds of domains are hijacked on a daily basis. Infoblox has observed multiple actors hijacking domains. Most of these hijacked domains were registered with brand protection registrars, whereas lookalike domains can be assumed to have been defensively registered by legitimate brands or organizations. Its pedigree is usually well respected, making it very difficult to observe or otherwise determine malicious use of these domains. Researchers emphasize that the attack technique of Sitting Ducks is totally avoidable through proper management and authorization of domain names and their DNS records. In fact, it needs even more cooperation among domain holders, registrars, DNS providers, web hosting services, regulators, and the cybersecurity community to stop these attacks in full. Closing such gaps will greatly decrease both the risk and impact of Sitting Ducks attacks, thereby ensuring that the domain name system environment becomes more secure.