Introduction
A new cybersecurity threat, known as the "Sitting Ducks" attack, has emerged as a significant concern for domain owners and cybersecurity professionals alike. This attack method leverages vulnerabilities in the Domain Name System (DNS), allowing malicious actors to hijack domains without requiring access to the legitimate owner's account. Recent research by Infoblox and Eclypsium highlights that this attack vector is currently being exploited by over a dozen cybercriminal groups with Russian connections.
How the Sitting Ducks Attack Works
The Sitting Ducks attack involves the hijacking of a registered domain at an authoritative DNS service or web hosting provider. Unlike other domain hijacking techniques, this method does not require the attacker to access the domain owner’s account at the DNS provider or the domain registrar. Instead, the attack exploits incorrect configurations and inadequate ownership verification processes at these services, making it easier to execute, more likely to succeed, and harder to detect than more widely known techniques like dangling CNAME attacks.
The Threat Landscape
Once a domain is compromised, the attacker can use it for a range of malicious activities, such as distributing malware, launching spam campaigns, or conducting phishing attacks. The compromised domains, still associated with the legitimate owner's reputation, can severely damage the credibility and trust that customers place in a brand.
Although the Sitting Ducks attack vector was first documented in 2016 by The Hacker Blog, it has remained largely unnoticed and unresolved. Since 2018, it is estimated that over 35,000 domains have been successfully hijacked using this technique. Despite its potential impact, the attack remains relatively unknown in the broader cybersecurity community, even as more sophisticated cybercriminal groups continue to weaponize it.
Exploitation and Consequences
The effectiveness of the Sitting Ducks attack is amplified when an authoritative DNS provider is exploitable. In such cases, attackers can claim ownership of a domain without having access to the valid owner's account at the domain registrar. This is particularly dangerous if the authoritative DNS service for the domain expires, allowing the threat actor to create an account with the provider, assume control of the domain, and impersonate the brand. The compromised domains are then used in various nefarious activities, including traffic distribution systems (TDSes) like 404 TDS and VexTrio Viper, as well as scams such as bomb threat hoaxes and sextortion, tracked under the activity cluster known as Spammy Bear.
Preventive Measures
To mitigate the risks associated with the Sitting Ducks attack, organizations must take proactive steps to protect their domains. This includes regularly auditing their domain portfolios to identify and rectify any lame delegations and ensuring that their DNS providers offer robust protection against such attacks. Additionally, organizations should be aware of the configuration and verification processes used by their DNS providers to prevent unauthorized domain takeovers.
Conclusion
The Sitting Ducks attack represents a serious and growing threat in the realm of cybersecurity, particularly due to its ease of execution and the potential for significant harm. Despite being documented for several years, it remains a largely unaddressed issue, leaving millions of domains vulnerable to hijacking. As cybercriminals continue to exploit this attack vector, it is crucial for organizations to enhance their domain security practices to prevent becoming the next victim of a Sitting Ducks hijack.
0 Comments