Summary:
Researchers at Infoblox and Eclypsium have collaborated to uncover a sophisticated new attack vector within the Domain Name System (DNS), dubbed the Sitting Ducks attack. This discovery came while studying the infrastructure used by 404TDS, a Russian-hosted traffic distribution system, indicating the involvement of Russian-nexus cybercriminals. Initially detected by Matt Bryant in August 2016, this DNS-related issue resurfaced as a new exploitation threat targeting users globally since June 2024.

Unlike traditional domain control techniques, the Sitting Ducks attack does not require registrar access. Instead, it leverages lame delegation, a scenario where a registered domain or subdomain delegates authoritative DNS services to a different provider than the domain registrar. The delegation becomes "lame" when the authoritative name server(s) lack domain information and cannot resolve queries. Malicious actors exploit this by registering the assigned domain, gaining control over all domains pointing to that domain. They further capitalize on DNS provider vulnerabilities, scanning the internet for domains with lame delegations and claiming ownership without proper authorization. By creating malicious records for hijacked domains, they redirect traffic to malicious servers, thereby leading unsuspecting users to the attacker’s site.

Security Officer Comments:
The researchers noted that the Sitting Ducks attack has multiple variations. It can exploit typos in domain owner’s name server information, enabling attackers to register partially lame domains. Additionally, dangling DNS records, which contain invalid information due to forgotten configurations, can be generalized to other DNS record types. For example, dangling CNAME attacks redirect DNS responses to lapsed domain names, allowing malicious actors to register these lapsed domains and gain control.

A large-scale analysis of domain delegations and an evaluation of around a dozen DNS providers revealed that multiple actors, predominantly Russian cybercriminals, are using this attack method. Hundreds of domains are hijacked daily, often registered with brand protection registrars or lookalike domains. According to Eclypsium’s blog post, the Sitting Ducks vector has hijacked over 35,000 domains since 2018, with the true number likely being much higher.

Suggested Corrections:
To prevent Sitting ducks, domain owners should use an authoritative DNS provider independent of their domain registrar to avoid Sitting Ducks attacks. Ensure domains and subdomains have name server delegation to invalid service providers, and inquire about DNS provider mitigations to reduce risk.

Link(s):
https://hackread.com/sitting-ducks-dns-attack-domain-takeover-data-breaches/