Russia takes aim at Sitting Ducks domains, bags 30,000+

Eight-year-old domain hijacking technique still claiming victims

Dozens of Russia-affiliated criminals are right now trying to wrest control of web domains by exploiting weak DNS services.

The crooks have already hijacked an estimated 30,000 domains since 2019, by using a technique dubbed Sitting Ducks by cybersecurity outfits Infoblox and Eclypsium.

The flaw at the heart of the matter has been known since at least 2016, when security researcher Matt Bryant detailed the takeover of 120,000 domains using a DNS vulnerability at major cloud providers such as AWS, Google, and Digital Ocean. It resurfaced in 2019 at internet service provider GoDaddy, leading to bomb threats and sextortion attempts.

The fact that Sitting Ducks remains a viable avenue for seizing domains is a testament to the difficulty of addressing vulnerabilities that arise from shoddy business processes, rather than coding bugs. The technique is difficult to detect or distinguish from credential theft, and is very damaging for those shot down by it.

"Eight years after it was first published, the attack vector is largely unknown and unresolved," said Infoblox in a write-up lamenting the ease of domain hijacking.

"Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs. At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognized in the security industry."

Conducting a successful Sitting Ducks attack requires four conditions, according to an Eclypsium advisory:

  1. A registered domain, or subdomain of a registered domain, uses the authoritative DNS services of a different provider than the domain registrar; this is called name server delegation.
  2. A domain is registered with one authoritative DNS provider, and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service.
  3. The name server delegation is lame, meaning that the authoritative name server does not have information about the domain and therefore can not resolve queries or subdomains.
  4. The DNS provider is exploitable, meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner’s account at the domain registrar.

This gap in administrative controls – allowing criminals to add or alter domain records without validating the identity of the requester – turns out to be rather common. According to a paper [PDF] published in 2020, about 14 percent of 49 million domains evaluated were affected by lame delegations of some kinds.

The security crew at Infoblox and Eclypsium say they discovered the latest round of attacks in June and have been coordinating with police and national CERTs to deal with the damage since then.

The Sitting Ducks vulnerability affects not only the owners of domains that get taken over but those interacting with those sites online. Hijacked domains, Infoblox warns, have been used for phishing, scams, spam, porn distribution, and command-and-control servers for attacks like Cobalt Strike.

Infoblox and Eclypsium argue that DNS misconfigurations can be mitigated with some effort from domain owners, domain registrars, and DNS providers. And they also urge government organizations, regulators, and standards bodies to explore long-term solutions that minimize the DNS attack surface.

"Without cooperation and active effort, Sitting Ducks attacks will continue to rise," Infoblox argues. "This attack already plays a part in cybercrime targeting dozens of countries around the world, costing consumers an untold amount of money and loss of privacy." ®

More about

TIP US OFF

Send us news


Other stories you might like