Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Research

Russia takes aim at Sitting Ducks domains, bags 30,000+

Eight-year-old domain hijacking technique still claiming victims

Thomas Claburn Wed 31 Jul 2024  //  20:50 UTC

Dozens of Russia-affiliated criminals are right now trying to wrest control of web domains by exploiting weak DNS services.

The crooks have already hijacked an estimated 30,000 domains since 2019, by using a technique dubbed Sitting Ducks by cybersecurity outfits Infoblox and Eclypsium.

The flaw at the heart of the matter has been known since at least 2016, when security researcher Matt Bryant detailed the takeover of 120,000 domains using a DNS vulnerability at major cloud providers such as AWS, Google, and Digital Ocean. It resurfaced in 2019 at internet service provider GoDaddy, leading to bomb threats and sextortion attempts.

The fact that Sitting Ducks remains a viable avenue for seizing domains is a testament to the difficulty of addressing vulnerabilities that arise from shoddy business processes, rather than coding bugs. The technique is difficult to detect or distinguish from credential theft, and is very damaging for those shot down by it.

"Eight years after it was first published, the attack vector is largely unknown and unresolved," said Infoblox in a write-up lamenting the ease of domain hijacking.

"Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs. At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognized in the security industry."

Conducting a successful Sitting Ducks attack requires four conditions, according to an Eclypsium advisory:

  1. A registered domain, or subdomain of a registered domain, uses the authoritative DNS services of a different provider than the domain registrar; this is called name server delegation.
  2. A domain is registered with one authoritative DNS provider, and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service.
  3. The name server delegation is lame, meaning that the authoritative name server does not have information about the domain and therefore can not resolve queries or subdomains.
  4. The DNS provider is exploitable, meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner’s account at the domain registrar.

This gap in administrative controls – allowing criminals to add or alter domain records without validating the identity of the requester – turns out to be rather common. According to a paper [PDF] published in 2020, about 14 percent of 49 million domains evaluated were affected by lame delegations of some kinds.

The security crew at Infoblox and Eclypsium say they discovered the latest round of attacks in June and have been coordinating with police and national CERTs to deal with the damage since then.

The Sitting Ducks vulnerability affects not only the owners of domains that get taken over but those interacting with those sites online. Hijacked domains, Infoblox warns, have been used for phishing, scams, spam, porn distribution, and command-and-control servers for attacks like Cobalt Strike.

Infoblox and Eclypsium argue that DNS misconfigurations can be mitigated with some effort from domain owners, domain registrars, and DNS providers. And they also urge government organizations, regulators, and standards bodies to explore long-term solutions that minimize the DNS attack surface.

"Without cooperation and active effort, Sitting Ducks attacks will continue to rise," Infoblox argues. "This attack already plays a part in cybercrime targeting dozens of countries around the world, costing consumers an untold amount of money and loss of privacy." ®
Send us news
Post a comment

Microsoft won't let customers opt out of passkey push

Enrollment invitations will continue until security improves

Australia moves to drop some cryptography by 2030 – before quantum carves it up

The likes of SHA-256, RSA, ECDSA and ECDH won't be welcome in just five years

Boffins trick AI model into giving up its secrets

All it took to make an Google Edge TPU give up model hyperparameters was specific hardware, a novel attack technique … and several days

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

Open source maintainers are drowning in junk bug reports written by AI

Python security developer-in-residence decries use of bots that 'cannot understand code'

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

AMD secure VM tech undone by DRAM meddling

Boffins devise BadRAM attack to pilfer secrets from SEV-SNP encrypted memory

Just how deep is Nvidia's CUDA moat really?

Not as impenetrable as you might think, but still more than Intel or AMD would like

BlackBerry offloads Cylance's endpoint security products to Arctic Wolf

Fresh attempt to mix the perfect cocktail of IoT and Infosec

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Alpine Linux 3.21: Lean, mean, and LoongArch-ready

A cool mountain breeze blowing in after the new LTS kernel