Threat actors have hijacked more than 35,000 registered domains in so-called Sitting Ducks attacks that allow claiming a domain without having access to the owner’s account at the DNS provider or registrar.
In a Sitting Ducks attack, cybercriminals exploit configuration shortcomings at the registrar level and insufficient ownership verification at DNS providers.
Researchers at DNS-focused security vendor Infoblox and at firmware and hardware protection company Eclypsium discovered that there are more than a million domains that can be hijacked every day via the Sitting Ducks attacks.
Multiple Russian cybercriminal groups have been using this attack vector for years and leveraged the hijacked domains in spam campaigns, scams, malware delivery, phishing, and data exfiltration.
Sitting Ducks details
Although the issues that make Sitting Ducks possible were first documented in 2016 [1, 2] by Matthew Bryant, a security engineer at Snap, the attack vector continues to be an easier way to hijack domains than other better-known methods.
For the attack to be possible, the following conditions are required:
– registered domain either uses or delegates authoritative DNS services to a provider other than the registrar
– the authoritative name server of the record cannot resolve queries because it lacks the info about the domain (lame delegation)
– the DNS provider needs to allow claiming a domain without properly verifying ownership or requiring access to the owner’s account
Variations of the attack include partially lame delegation (not all name servers are configured incorrectly) and redelegation to another DNS provider. However, if lame delegation and exploitable provider conditions are met, the domain can be hijacked.
Infoblox explains that attackers can use the Sitting Ducks method on domains that use authoritative DNS services from a provider that is different from the registrar, such as a web hosting service.
If the authoritative DNS or web hosting service for the target domain expires, an attacker can simply claim it after creating an account with the DNS service provider.
The threat actor can now set up a malicious website under the domain and configure DNS settings to resolve IP address record requests to the fake address; and the legitimate owner won’t be able to modify the DNS records.
Attacks in the wild
Infoblox and Eclypsium report that they have observed multiple threat actors exploiting the Sitting Ducks (or Ducks Now Sitting – DNS) attack vector since 2018 and 2019.
Since then, there have been at least 35,000 domain hijacking cases using this method. Typically, the cybercriminals held the domains for a short period but there were some instances where they kept them up to a year.
There have also been occurrences where the same domain was hijacked by multiple threat actors successively, who used it in their operations for one to two months and then passed it on.
GoDaddy (that is not vulnerable to these attacks since 2019) is confirmed as a victim of Sitting Ducks attacks, but the researchers say there are six DNS providers who are currently vulnerable.
The observed clusters of activity leveraging Sitting Ducks is summarized as follows:
- “Spammy Bear” – Hijacked GoDaddy domains in late 2018 for use in spam campaigns.
- “Vacant Viper” – Started using Sitting Ducks in December 2019, and hijacks 2,500 yearly since then, used in the 404TDS system that distributes IcedID, and setting up command and control (C2) domains for malware.
- “VexTrio Viper” – Started using Sitting Ducks in early 2020 to utilize the domains in a massive traffic distribution system (TDS) that facilitates the SocGholish and ClearFake operations.
- Unnamed actors – Several smaller and unknown threat actors creating TDS, spam distribution, and phishing networks.
Defense tips
Domain owners should regularly review their DNS configurations for lame delegations, especially on older domains, and update the delegation records at the registrar or authoritative name server with proper, active DNS services.
Registrars are advised to perform proactive checks for lame delegations and alert owners. They should also ensure that a DNS service is established before propagating name server delegations.
Ultimately, regulators and standards bodies must develop long-term strategies to address DNS vulnerabilities and press DNS providers under their jurisdictions to take more action to mitigate Sitting Ducks attacks.
