Tuesday , June 24 2025
duck

1M domains at risk of ‘Sitting Ducks’ domain hijacking

More than a dozen threat actors are using a strong attack method in the domain name system (DNS). These hackers can take control of domain names without the owners realizing, and then use them for harmful activities. Infoblox, an IT automation and security company, cautions about this risk.

The “Sitting Ducks” attack is simple to do, hard to find, often unnoticed, but completely avoidable. Many web domains are at risk of being targeted. Attackers can hijack domains by exploiting mistakes in DNS provider configurations without needing to access the real owner’s account or register a domain themselves.

WhatsApp banned on all US House of Representatives devices

The U.S. House of Representatives has banned congressional staff from using WhatsApp on government devices due to security concerns, as...
Read More
WhatsApp banned on all US House of Representatives devices

Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store

Kaspersky found a new mobile malware dubbed SparkKitty in Google Play and Apple App Store apps, targeting Android and iOS....
Read More
Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store

OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems

OWASP has released its AI Testing Guide, a framework to help organizations find and fix vulnerabilities specific to AI systems....
Read More
OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems

Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform

In a major milestone for the country’s digital infrastructure, Axentec PLC has officially launched Axentec Cloud, Bangladesh’s first Tier-4 cloud...
Read More
Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform

Hackers Bypass Gmail MFA With App-Specific Password Reuse

A hacking group reportedly linked to Russian government has been discovered using a new phishing method that bypasses two-factor authentication...
Read More
Hackers Bypass Gmail MFA With App-Specific Password Reuse

Russia detects first SuperCard malware attacks via NFC

Russian cybersecurity experts discovered the first local data theft attacks using a modified version of legitimate near field communication (NFC)...
Read More
Russia detects first SuperCard malware attacks via NFC

Income Property Investments exposes 170,000+ Individuals record

Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
Read More
Income Property Investments exposes 170,000+ Individuals record

ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
Read More
ALERT (CVE: 2023-28771)  Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

CISA Flags Active Exploits in Apple iOS and TP-Link Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
Read More
CISA Flags Active Exploits in Apple iOS and TP-Link Routers

10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

SafetyDetectives’ Cybersecurity Team discovered a public post on a clear web forum in which a threat actor claimed to have...
Read More
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

“At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and inadequate prevention at the DNS provider, both of which are solvable problems,” the report by Infoblox and Eclypsium explains.

To execute a Sitting Duck attack, two conditions are necessary. First, a registered domain must transfer its DNS services to a provider other than the domain registrar.

The delegation is considered lame when the DNS server lacks information about a website and cannot resolve its address.

Lastly, the DNS provider itself needs to be “exploitable” and allow attackers to “claim” the domains and set up new DNS records without accessing the real owner’s account.
Lame delegations happen when DNS servers are set up incorrectly, expired, or don’t respond to DNS queries for a certain domain.

“While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known,” the report reads. “Hundreds of domains are hijacked every day.”

Companies sometimes keep ownership of old brands and domain names, even if they no longer use them actively. An attacker can take advantage of this by creating an account and claiming the domain with a vulnerable DNS service provider. This allows them to create a fake website, trick visitors into going to it, send phishing emails, and try to infect victims with malware.

Researchers explain that “the attack is possible because of gaps in how domain names and DNS records are managed, maintained, and authorized.”

DNS providers are now being used by cybercriminals, with more than a dozen threat actors exploiting this technique. Some DNS providers are being used like libraries, allowing cybercriminals to borrow a domain for a certain period of time.

More than 35,000 domains have been taken over since 2018, but the real number is probably even higher. Thieves sometimes take control of domains that were already claimed by other threat actors.

“Threat actors have obtained SSL certificates for the domains in many cases, both from free services like Let’s Encrypt and paid services like DigiCert.” click here to read out the full report.

 

Check Also

GreyNoise

ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel’s IKE affecting UDP port 500. …

Leave a Reply

Your email address will not be published. Required fields are marked *