InfoSecBulletin Cybersecurity for mankind
More than a dozen threat actors are using a strong attack method in the domain name system (DNS). These hackers can take control of domain names without the owners realizing, and then use them for harmful activities. Infoblox, an IT automation and security company, cautions about this risk.
The “Sitting Ducks” attack is simple to do, hard to find, often unnoticed, but completely avoidable. Many web domains are at risk of being targeted. Attackers can hijack domains by exploiting mistakes in DNS provider configurations without needing to access the real owner’s account or register a domain themselves.
CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed
ALERT
Thousands of IP addresses compromised nationwide: CIRT warn
New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks
Critical RCE Flaw Patched in Roundcube Webmail
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
“At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and inadequate prevention at the DNS provider, both of which are solvable problems,” the report by Infoblox and Eclypsium explains.
To execute a Sitting Duck attack, two conditions are necessary. First, a registered domain must transfer its DNS services to a provider other than the domain registrar.
The delegation is considered lame when the DNS server lacks information about a website and cannot resolve its address.
Lastly, the DNS provider itself needs to be “exploitable” and allow attackers to “claim” the domains and set up new DNS records without accessing the real owner’s account.
Lame delegations happen when DNS servers are set up incorrectly, expired, or don’t respond to DNS queries for a certain domain.
“While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known,” the report reads. “Hundreds of domains are hijacked every day.”
Companies sometimes keep ownership of old brands and domain names, even if they no longer use them actively. An attacker can take advantage of this by creating an account and claiming the domain with a vulnerable DNS service provider. This allows them to create a fake website, trick visitors into going to it, send phishing emails, and try to infect victims with malware.
Researchers explain that “the attack is possible because of gaps in how domain names and DNS records are managed, maintained, and authorized.”
DNS providers are now being used by cybercriminals, with more than a dozen threat actors exploiting this technique. Some DNS providers are being used like libraries, allowing cybercriminals to borrow a domain for a certain period of time.
More than 35,000 domains have been taken over since 2018, but the real number is probably even higher. Thieves sometimes take control of domains that were already claimed by other threat actors.
“Threat actors have obtained SSL certificates for the domains in many cases, both from free services like Let’s Encrypt and paid services like DigiCert.” click here to read out the full report.
