DNS providers’ weak or nonexistent verification of domain ownership puts over one million domains at risk of hijacking, cybersecurity firms Eclypsium and Infoblox report.
The issue has already led to the hijacking of more than 35,000 domains over the past six years, all of which have been abused for brand impersonation, data theft, malware delivery, and phishing.
“We have found that over a dozen Russian-nexus cybercriminal actors are using this attack vector to hijack domain names without being noticed. We call this the Sitting Ducks attack,” Infoblox notes.
There are several variants of the Sitting Ducks attack, which are possible due to incorrect configurations at the domain registrar and lack of sufficient preventions at the DNS provider.
Name server delegation – when authoritative DNS services are delegated to a different provider than the registrar – enables attackers to hijack domains, the same as lame delegation – when an authoritative name server of the record lacks the information to resolve queries – and exploitable DNS providers – when attackers can claim ownership of the domain without access to the valid owner’s account.
“In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner’s account at either the DNS provider or registrar. Variations within this attack include partially lame delegation and redelegation to another DNS provider,” Infoblox notes.
The attack vector, the cybersecurity firms explain, was initially uncovered in 2016. It was employed two years later in a broad campaign hijacking thousands of domains, and remains largely unknown even now, when hundreds of domains are being hijacked every day.
“We found hijacked and exploitable domains across hundreds of TLDs. Hijacked domains are often registered with brand protection registrars; in many cases, they are lookalike domains that were likely defensively registered by legitimate brands or organizations. Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect,” Infoblox says.
Domain owners are advised to make sure that they do not use an authoritative DNS provider different from the domain registrar, that accounts used for name server delegation on their domains and subdomains are valid, and that their DNS providers have deployed mitigations against this type of attack.
DNS service providers should verify domain ownership for accounts claiming a domain name, should make sure that newly assigned name server hosts are different from previous assignments, and to prevent account holders from modifying name server hosts after assignment, Eclypsium notes.
“Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs. At the same time, Sitting Ducks is being broadly used to exploit users around the globe,” Infoblox says.
Related: Hackers Exploit Flaw in Squarespace Migration to Hijack Domains
Related: Vulnerabilities Enable Attackers to Spoof Emails From 20 Million Domains
Related: KeyTrap DNS Attack Could Disable Large Parts of Internet: Researchers
Related: Microsoft Cracks Down on Malicious Homoglyph Domains
