What is the Sitting Ducks Attack?

A recent investigation by Infoblox and Eclypsium has uncovered a major vulnerability in over a million domains, exposing them to a method known as the Sitting Ducks attack. This technique, actively exploited by more than a dozen cybercriminal groups linked to Russia, takes advantage of weaknesses in the domain name system (DNS) to quietly hijack domains.

You might be interested in: Videos Used to Spread Malware via Telegram

How Does the Attack Work?

In a Sitting Ducks attack, hackers take over an active domain at an authoritative DNS service or web hosting provider without needing access to the legitimate owner’s account at either the DNS provider or registrar. This makes the attack simpler, more likely to succeed, and harder to detect compared to other domain hijacking methods, like dangling CNAMEs.

Once hijacked, these domains can be used for various malicious activities, including distributing malware and sending spam, all while exploiting the trust associated with the real domain owner.

A Hidden Threat

First reported by The Hacker Blog in 2016, the Sitting Ducks attack remains largely unknown and unresolved. Since 2018, it’s estimated that over 35,000 domains have been compromised using this technique.

Dr. Renee Burton, VP of Threat Intelligence at Infoblox, shared with The Hacker News, “It’s baffling. We often get inquiries about dangling CNAME attacks but never about Sitting Ducks hijacks.”

Why is This Happening?

The problem arises from incorrect configurations between the domain registrant and the authoritative DNS provider. If the authoritative DNS provider can’t answer authoritatively for a domain it’s supposed to serve (known as lame delegation), and if it’s vulnerable, attackers can seize control of the domain without accessing the legitimate owner’s account at the domain registry.

In cases where the domain’s authoritative DNS service expires, a hacker can register an account with the provider, claim the domain, and then use it to impersonate the brand and spread malware.

“There are several variations of the Sitting Ducks attack,” Burton explained. “For instance, when a domain is registered and delegated but not properly configured at the provider.”

Real-World Impact

The Sitting Ducks attack has been weaponized by numerous cybercriminals, using hijacked domains to power traffic distribution systems (TDS) like 404 TDS (also known as Vacant Viper) and VexTrio Viper. These stolen domains have also been used to propagate bomb threats and sextortion scams.

How to Protect Your Domain

Organizations should audit their domains to ensure none are vulnerable to lame delegation. It’s crucial to use DNS providers with safeguards against Sitting Ducks attacks.

Protect your brand and prevent your domain from becoming a tool for cybercriminals by regularly checking your DNS configurations and choosing reliable DNS providers.