InfoSecBulletin Cybersecurity for mankind
More than a dozen threat actors are using a strong attack method in the domain name system (DNS). These hackers can take control of domain names without the owners realizing, and then use them for harmful activities. Infoblox, an IT automation and security company, cautions about this risk.
The “Sitting Ducks” attack is simple to do, hard to find, often unnoticed, but completely avoidable. Many web domains are at risk of being targeted. Attackers can hijack domains by exploiting mistakes in DNS provider configurations without needing to access the real owner’s account or register a domain themselves.
WhatsApp banned on all US House of Representatives devices
Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store
OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems
Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
“At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and inadequate prevention at the DNS provider, both of which are solvable problems,” the report by Infoblox and Eclypsium explains.
To execute a Sitting Duck attack, two conditions are necessary. First, a registered domain must transfer its DNS services to a provider other than the domain registrar.
The delegation is considered lame when the DNS server lacks information about a website and cannot resolve its address.
Lastly, the DNS provider itself needs to be “exploitable” and allow attackers to “claim” the domains and set up new DNS records without accessing the real owner’s account.
Lame delegations happen when DNS servers are set up incorrectly, expired, or don’t respond to DNS queries for a certain domain.
“While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known,” the report reads. “Hundreds of domains are hijacked every day.”
Companies sometimes keep ownership of old brands and domain names, even if they no longer use them actively. An attacker can take advantage of this by creating an account and claiming the domain with a vulnerable DNS service provider. This allows them to create a fake website, trick visitors into going to it, send phishing emails, and try to infect victims with malware.
Researchers explain that “the attack is possible because of gaps in how domain names and DNS records are managed, maintained, and authorized.”
DNS providers are now being used by cybercriminals, with more than a dozen threat actors exploiting this technique. Some DNS providers are being used like libraries, allowing cybercriminals to borrow a domain for a certain period of time.
More than 35,000 domains have been taken over since 2018, but the real number is probably even higher. Thieves sometimes take control of domains that were already claimed by other threat actors.
“Threat actors have obtained SSL certificates for the domains in many cases, both from free services like Let’s Encrypt and paid services like DigiCert.” click here to read out the full report.
