Threat actors hijacked more than 35,000 registered domain names in so-called "SittingDucks" attacks, which allow domain names to be claimed without access to the domain owner's account with a DNS provider or registrar.
In the SittingDucks attack, cybercriminals exploited configuration flaws at the registrar level and insufficient ownership verification by the DNS provider.
Researchers from DNS-focused security vendor Infoblox and firmware and hardware protection company Eclypsium found that more than one million domain names may be hijacked every day through SittingDucks attacks.
Multiple Russian cybercriminal groups have been using this attack vector for years and exploiting hijacked domains in spam campaigns, scams, malware delivery, phishing, and data exfiltration.
Although Snap security engineer Matthew Bryant first documented the issues that made SittingDucks possible in 2016 [1,2], this attack vector remains an easier way to hijack a domain than other, better-known methods.
To implement the attack, the following conditions need to be met:
-Register domain names using or entrusting suppliers other than the registrar to provide authoritative DNS services
-The authoritative name server of record cannot resolve the query due to lack of domain name information (lame authorization)
-DNS providers need to allow domain names to be claimed without properly verifying ownership or requiring access to the owner's account
Variants of this attack include partial invalid delegation (not all name servers are misconfigured) and re-delegation to another DNS provider. However, domain names can be hijacked if poor authorization and exploitable provider conditions are met.
Infoblox explains that attackers can use the SittingDucks method on domain names that use authoritative DNS services from a provider different from the registrar, such as a web hosting service.
If the authoritative DNS or virtual host service of the target domain name has expired, the attacker only needs to create an account with the DNS service provider to apply for the domain name.
The threat actor can now set up a malicious website under the domain name and configure DNS settings to resolve IP address record requests to fake addresses; the legitimate owner will not be able to modify the DNS record.
Infoblox and Eclypsium report that since 2018 and 2019, they have observed multiple threat actors utilizing the "sitting duck" (or "sitting duck" - DNS) attack vector.
Since then, at least 35,000 domain name hijacking cases have used this method. Typically, cybercriminals hold domain names for a short period of time, but there have been cases of up to a year.
There have also been cases where the same domain name has been hijacked by multiple threat actors, who used it in their operations for one to two months and then moved it.
GoDaddy has been confirmed to be a victim of the SittingDucks attack, but researchers say six more DNS providers are currently vulnerable.
An overview of the observed activity clusters utilizing "sit ducks" is as follows:
"Spam Bear" - hijacked GoDaddy domain names at the end of 2018 for spam campaigns.
"VacantViper" - began using SittingDucks in December 2019 and has since hijacked 2,500 times a year to distribute IcedID's 404TDS system and set up a command and control (C2) domain for the malware.
VexTrioViper" - "SittingDucks" started in early 2020, using domain names in large traffic distribution systems (TDS) to facilitate SocGholish and ClearFake operations.
Unnamed Actors - A number of smaller and unknown threat actors create TDS, spam distribution and phishing networks.
Domain name owners should regularly check their DNS configuration for insufficiently protected delegations, especially older domain names, and update delegation records at the registrar or authoritative name servers to provide appropriate, active DNS services.
Registrars are advised to proactively check authorizations containing weak points and alert owners. They should also ensure that DNS services are established before propagating nameserver authority.
Ultimately, regulators and standards bodies must develop long-term strategies to address DNS vulnerabilities and force DNS providers under their jurisdiction to do more to mitigate SittingDucks attacks.