InfoSecBulletin Cybersecurity for mankind
More than a dozen threat actors are using a strong attack method in the domain name system (DNS). These hackers can take control of domain names without the owners realizing, and then use them for harmful activities. Infoblox, an IT automation and security company, cautions about this risk.
The “Sitting Ducks” attack is simple to do, hard to find, often unnoticed, but completely avoidable. Many web domains are at risk of being targeted. Attackers can hijack domains by exploiting mistakes in DNS provider configurations without needing to access the real owner’s account or register a domain themselves.
CYDES 2025 Reinforces Malaysia’s Vision of Secure and Trusted Digital Nation
Cisco alerts that Unified CM has hardcoded root SSH credentials
CYDES 2025
MCSS to implement 6 strategic goals with 7 objectives over 6 year: NACSA Chief
CYDES 2025
Malaysia placed cybersecurity heart of the regional agenda: DPM Ahmad Zahid
Amid Meta moves; OpenAI is largely shutting down next week: Wired
Canada orders Hikvision to close operations over national security
First couple “Rosie” to conceive using AI tech “STAR” successfully
Scattered Spider Actively Attacking Aviation and Transportation: FBI
Russia’s restrictions on Cloudflare making websites inaccessible
61 million Verizon records allegedly posted online for sale
“At the heart of Sitting Ducks attacks are incorrect configurations at the domain registrar and inadequate prevention at the DNS provider, both of which are solvable problems,” the report by Infoblox and Eclypsium explains.
To execute a Sitting Duck attack, two conditions are necessary. First, a registered domain must transfer its DNS services to a provider other than the domain registrar.
The delegation is considered lame when the DNS server lacks information about a website and cannot resolve its address.
Lastly, the DNS provider itself needs to be “exploitable” and allow attackers to “claim” the domains and set up new DNS records without accessing the real owner’s account.
Lame delegations happen when DNS servers are set up incorrectly, expired, or don’t respond to DNS queries for a certain domain.
“While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known,” the report reads. “Hundreds of domains are hijacked every day.”
Companies sometimes keep ownership of old brands and domain names, even if they no longer use them actively. An attacker can take advantage of this by creating an account and claiming the domain with a vulnerable DNS service provider. This allows them to create a fake website, trick visitors into going to it, send phishing emails, and try to infect victims with malware.
Researchers explain that “the attack is possible because of gaps in how domain names and DNS records are managed, maintained, and authorized.”
DNS providers are now being used by cybercriminals, with more than a dozen threat actors exploiting this technique. Some DNS providers are being used like libraries, allowing cybercriminals to borrow a domain for a certain period of time.
More than 35,000 domains have been taken over since 2018, but the real number is probably even higher. Thieves sometimes take control of domains that were already claimed by other threat actors.
“Threat actors have obtained SSL certificates for the domains in many cases, both from free services like Let’s Encrypt and paid services like DigiCert.” click here to read out the full report.
