Cybersecurity experts from Infoblox and Eclypsium have raised alarms about a widespread DNS attack known as “Sitting Ducks” or “Ducks Now Sitting” (DNS). This sophisticated attack vector poses a daily threat to over a million domains, with researchers confirming that cybercriminals have already successfully hijacked 35,000 domains using this method.
Understanding the Sitting Ducks Attack
The Sitting Ducks attack exploits configuration issues at the registrar level and insufficient ownership verification by DNS providers. This vulnerability allows attackers to claim ownership of a domain without accessing the owner’s account at the DNS provider or registrar. Despite being first documented in 2016 by Matthew Bryant, a specialist at Snap, this attack vector remains a simple yet effective method for domain hijacking.
Key Conditions for a Successful Attack
For a Sitting Ducks attack to succeed, several conditions must be met:
- The domain must use authoritative DNS services from a provider different from the registrar
- The domain’s DNS delegation must be improperly configured
- The DNS provider must have inadequate ownership verification processes
Impact and Scope of the Threat
Researchers have observed numerous Russian-speaking hacking groups exploiting this tactic for years. Once a domain is hijacked, it can be used for various malicious activities, including:
- Spam campaigns
- Fraud
- Malware distribution
- Phishing attacks
- Data theft
The scale of this threat is significant, with at least six DNS providers currently vulnerable to Sitting Ducks attacks. GoDaddy has been confirmed as one of the victims, highlighting the widespread nature of this security issue.
Cybercriminal Tactics and Patterns
Infoblox specialists report that attackers typically occupy hijacked domains for short periods, although some cases have seen domains held for up to a year. Interestingly, researchers have observed instances where multiple hacking groups sequentially hijack the same domain, using it for their operations for one to two months before passing it on.
Known Threat Actors
Several cybercriminal groups have been identified as actively exploiting the Sitting Ducks vulnerability, including:
- REvil
- BlackMatter
- Conti
- Various APT groups
Protecting Against Sitting Ducks Attacks
To mitigate the risk of falling victim to a Sitting Ducks attack, domain owners should:
- Regularly check their DNS configuration for delegation issues, especially on older domains
- Update delegation records with the registrar or on the authoritative name server
- Ensure proper synchronization between DNS providers and registrars
Domain registrars are advised to conduct proactive checks for non-functioning delegations and promptly alert domain owners to potential vulnerabilities. By implementing these preventive measures, both domain owners and registrars can significantly reduce the risk of successful Sitting Ducks attacks and protect their digital assets from malicious exploitation.
