Cybersecurity researchers from Infoblox and Eclypsium have discovered a critical vulnerability in the Domain Name System (DNS). This vulnerability is currently being exploited by Russian cybercriminals to take over legitimate websites.
The method, dubbed the “Sitting Ducks” attack, is being used by more than a dozen Russian cybercriminals to hijack domain names.
The issue was first reported in 2016 and resurfaced this year. Since its rediscovery, the two companies have been working with law enforcement agencies and national Computer Emergency Response Teams (CERTs).
Sitting duck attacks on the rise
The Sitting Ducks attack targets DNS providers through a combination of poor delegation and insufficient domain ownership validation, allowing attackers to claim domains from DNS providers without needing access to the legitimate owner’s account.
The research highlights the troubling nature of exploitable domains, with over a million vulnerable targets on any given day.
Additionally, the researchers say the method is simple to perform and difficult to detect, but importantly for potential victims, it is also entirely preventable.
Once an attacker hijacks a registered domain by exploiting vulnerable DNS providers, they can perform a range of malicious activities, including malware distribution, phishing campaigns, brand impersonation, and data theft.
The attack remains largely unknown and is harder to detect than other domain hijacking methods, such as using CNAMEs.
Recommendations to prevent the Sitting Ducks attack include requiring domain ownership verification by DNS providers and checking for broken delegations.
Additionally, Infoblox and Eclypsium will present their findings and further details at the upcoming BlackHat conference, providing the cybersecurity community with an opportunity to address this threat.