Researchers at Infoblox and Eclypsium have discovered that a powerful attack vector in the domain name system (DNS) is being widely exploited across many DNS providers. They found that over a dozen Russian-nexus cybercriminal actors are using this attack vector to hijack domain names without being noticed in what is being called a “Sitting Ducks attack”.
There are over a million exploitable target domains on any given day, and the attack is:
- Easy to perform
- Almost totally unrecognised
- Difficult to detect
- Entirely preventable
In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner’s account at either the DNS provider or registrar. Once the actor has control of the domain, they can conduct any form of malicious activity under the guise of the legitimate owner. This includes malware delivery, phishing campaigns, brand impersonation and data exfiltration. Exploitable domains are not rare; we estimate that over a million domains are exploitable on any given day and we have identified multiple methods to identify vulnerable domains.
The two companies discovered Sitting Ducks while studying the infrastructure used for the so-called 404TDS, a Russian hosted traffic distribution system (TDS) first identified by Proofpoint. The domains used for this TDS were clearly hijacked, but the breadth of registrars and domain owners involved created a perplexing picture. That is, until it was discovered the threat actor’s method. The companies initially thought the attack vector was unpublished. Recently they learned that Matt Bryant had previously described the attack vector in his blog, The Hacker Blog, both in August and December 2016. Two years after his initial advisory, Sitting Ducks was used to hijack thousands of domains for use in a series of global spam campaigns that included bomb threats and sextortion.
Eight years after it was first published, the attack vector is largely unknown and unresolved. Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicised domain hijacking attack vectors, such as dangling CNAMEs. At the same time, Sitting Ducks is being broadly used to exploit users around the globe. Our analysis showed that the use of Sitting Ducks has grown unabated over several years and unrecognised in the security industry.
At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and the inadequate prevention at the DNS provider, both of which are solvable problems. There are several variants of the Sitting Ducks attack, none of which require the attacker to register a domain themselves, making it fundamentally different from commonly discussed DNS hijacking attacks.
Attackers can use the Sitting Ducks attack vector under the following conditions and in several variations:
- a registered domain or subdomain of a registered domain uses or delegates authoritative DNS services to a different provider than the domain registrar; this is called delegation
- the delegation is lame, meaning that the authoritative name server(s) of the record does not have information about the domain and cannot, therefore, resolve queries
- the authoritative DNS provider is exploitable, meaning that the attacker can “claim” the domain at the provider and set up DNS records without access to the valid owner’s account at the domain registrar.
While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known.
Although a Sitting Ducks attack is easy at many popular DNS and website hosting providers, some providers are not exploitable. We performed a large-scale analysis of domain delegations, evaluated about a dozen DNS providers and uncovered widespread use of the attack, most prominently by Russian cybercriminals. Hundreds of domains are hijacked every day, and Infoblox is tracking multiple actors who use this attack.
“We found hijacked and exploitable domains across hundreds of TLDs. Hijacked domains are often registered with brand protection registrars; in many cases, they are lookalike domains that were likely defensively registered by legitimate brands or organisations. Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect.”
Unlike many other types of cybercrime, Sitting Ducks attacks are preventable. The attack is possible because of gaps in how domain names and DNS records are managed, maintained, and authorised. Prevention requires everyone to play a part: domain name holders, registrars, authoritative DNS providers, web hosting providers, standards bodies, government regulators, and the cybersecurity community.