In the world of cybercrime, over 1 million domains now face a risk of threat actor-initiated takeover as the Sitting Ducks attack comes to light. As per recent reports, the attack is conducted via an exploitation of a domain name system (DNS) vulnerability and is carried out by Russian cybercriminals. In this article, we’ll dive into the details of the vulnerability to uncover how threat actors are exploiting it. Let’s begin!

Sitting Ducks Attack: Initial Discovery

An analysis published by Infoblox and Exlypsium has revealed that DNS vulnerabilities are being exploited by over a dozen Russian cybercriminals to initiate malicious domain takeover attempts.

It has been noted that to carry out such an attack; hackers hijack a domain that’s currently registered either with a web hosting provider or a DNS service. The hijack attempt, however, is conducted without accessing the actual account of the owner. Commenting on the effectiveness of the Sitting Ducks attack technique, researchers claim that:

“Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.”

The initial discovery of the Sitting Ducks attack technique was made nearly a decade ago, in 2016, by The Hacker Blog. Since 2018, more than 35,000 domains have succumbed to the domain hijacking attack. Media reports claim that the technique remains largely unknown and has not been resolved to date.

Malicious Domain Takeover Attack Details

Before diving into the attack chain, it’s essential to comprehend the underlying cause pertaining to the success of the this technique. During the use of this malicious domain takeover method, three factors that play a key role include:

• Incorrect configuration at the domain registrar.
• Nameserver not being able to respond authoritatively for a domain.
• Insufficient ownership verification by the authoritative DNS provider.

Prior to carrying out an attack using the this method, threat actors also ensure that the DNS provider is exploitable. This is what allows them to carry on without accessing the valid owner’s account. In addition, when the domain service expires, threat actors can create a new account with the provider to claim ownership.

Afterward, the domain can be used as a distribution medium for malware. Apart from this, it can be used to carry out other malicious intentions such as conducting spam and abuse of trust acquired by the original owner. Over the years, the Sitting Ducks attack technique has been used by multiple threat actors for:

• Sextortion scams.
• Fueling traffic distribution.
• Spammy Bear activity cluster.
• Propagating bomb threat hoaxes.

To safeguard against cybercrime of such magnitude, organizations should check their domains for signs of malicious activity regularly and should work with providers who have protection mechanisms pertaining to the Sitting Ducks attack.

Conclusion

The Sitting Ducks attack represents a significant and largely unresolved threat to domain security. Organizations must proactively audit their domains and DNS providers to mitigate the risk of malicious takeovers and ensure the trustworthiness of their online presence. Given the prevalence of such threats, using robust protection mechanisms is now a necessity for improving security posture and lowering exposure to risk.

The source for this piece includes articles in The Hacker News and Security Affairs.

The post Sitting Ducks Attack: Over 1M Domains At Risk Of Takeover! appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/sitting-ducks-attack-over-1m-domains-at-risk-of-takeover/