Millions of websites are sitting ducks for hijackers using unresolved method


More than a dozen threat actors connected to Russia are exploiting a powerful attack vector in the domain name system (DNS). Hackers can claim existing domain names without the real owners noticing and use them for malicious purposes, warns the IT automation and security company Infoblox.

The attack called “Sitting Ducks” is easy to perform, difficult to detect, almost totally unrecognized, but totally preventable. And millions of domains (web site addresses) are exploitable targets.

To hijack domains, attackers exploit incorrect configurations at DNS providers without accessing the real owner’s account, and without registering a domain themselves.

ADVERTISEMENT

“At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and inadequate prevention at the DNS provider, both of which are solvable problems,” the report by Infoblox and Eclypsium explains.

The Sitting Duck attack requires a few conditions. First, a registered domain delegates DNS services to a different provider than the domain registrar.

Then, the delegation has to be lame, this term describes that the DNS server does not have information about the website and cannot resolve its address.

Lastly, the DNS provider itself needs to be “exploitable” and allow attackers to “claim” the domains and set up new DNS records without accessing the real owner’s account.

Lame delegations often occur when DNS servers are incorrectly configured, expired, or otherwise fail to respond to DNS queries for a specific domain.

“While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known,” the report reads. “Hundreds of domains are hijacked every day.”

Often, companies retain ownership of old brands and other domain names but no longer actively use them. If the attacker creates an account and claims the domain at the authoritative but “exploitable” DNS service provider, it can then craft a fake website and lead visitors to it, send phishing emails, and try to infect victims with malware.

Researchers explain that “the attack is possible because of gaps in how domain names and DNS records are managed, maintained, and authorized.”

ADVERTISEMENT

They warn that DNS providers have become “a veritable Russian cybercriminal playground,” as more than a dozen threat actors utilize this technique. Some exploitable DNS providers are being treated as “domain lending libraries” to borrow a domain for 30-60 days at a time, or for over a year in some cases.

At least 35k domains have been hijacked since 2018. However, the actual number is likely to be much higher. Sometimes thieves even hijack domains that were already claimed by other threat actors.

“Threat actors have obtained SSL certificates for the domains in many cases, both from free services like Let’s Encrypt and paid services like DigiCert.”

This attack vector is not new – Matt Bryant first described it in 2016 in his The Hacker Blog. However, two years after the initial disclosure, thousands of domains were hijacked and used in a series of global spam campaigns, including bomb threats and extortion.

Eight years have passed, and according to the report, this attack vector is still largely unknown and unresolved.

Most often, hijacked domains belong to small businesses and individuals, but sometimes they are registered by regional or local government institutions.

“One of the most active threat actors we have discovered hijacks domains from multiple DNS providers. They distribute investment scams through Facebook ads, and possibly other mediums. These ads have targeted over thirty countries and often use lures of government infrastructure programs and investment summits,” researchers said.

They recommend domain owners regularly check the domain names and their DNS configurations, especially those held for over 10 years, and replace lame delegation records.

Researchers also suggest encouraging a DNS or hosting provider to follow best practices to prevent similar attacks. All authoritative DNS providers, including web hosting providers, should also incorporate mechanisms to close off the Sitting Ducks attack vector.

ADVERTISEMENT