Russian cybercriminals Hijacking Domain Names

Russian cybercriminals have been exploiting a critical vulnerability in the Domain Name System (DNS) to hijack domain names, affecting thousands of websites. This method, known as the “Sitting Ducks” attack, has been identified by cybersecurity researchers from Infoblox and Eclypsium. The attack leverages weaknesses in DNS configurations, specifically targeting lame delegations and insufficient validation of domain ownership, allowing attackers to claim domains without accessing the legitimate owner’s account.

Sitting Ducks Attack Overview

The Sitting Ducks attack exploits the following conditions:

  • A registered domain uses authoritative DNS services from a provider different from the domain registrar.
  • The authoritative name server cannot resolve queries due to a lack of domain information (lame delegation).
  • The DNS provider allows domain claims without proper ownership verification.

Impact and Exploitation

Since its rediscovery, the Sitting Ducks attack has been used by more than a dozen Russian-affiliated threat actors. The vulnerability, first noted in 2016, has seen a resurgence, with over one million domains potentially vulnerable daily. More than 35,000 domains have been hijacked since 2018, with attackers using these domains for various malicious activities, including:

  • Malware delivery
  • Phishing campaigns
  • Brand impersonation
  • Data exfiltration

Detection and Prevention

The Sitting Ducks attack is particularly insidious because it is easier to perform and harder to detect than other domain hijacking methods, such as dangling CNAMEs. However, it is also preventable. Recommendations for mitigating the risk include:

  • Ensuring DNS providers require domain ownership verification
  • Monitoring for lame delegations
  • Regularly reviewing DNS configurations for vulnerabilities

Real-World Examples and Consequences

The attack has been weaponized by different threat actors, leading to significant disruptions. For instance, GoDaddy, a major domain registrar, has been a victim, with hijacked domains used in spam campaigns and other malicious activities. The attack has also been linked to bomb threat hoaxes and sextortion scams.

Industry Response and Future Actions

Infoblox and Eclypsium are actively collaborating with law enforcement and national Computer Emergency Response Teams (CERTs) to address the threat. They plan to present their findings at the upcoming BlackHat conference, aiming to raise awareness and promote industry-wide solutions.

 

Scroll to Top