Our analysis showed that the use of Sitting Ducks has grown unabated 
over several years and unrecognized in the security industry.

Ducks Now Sitting (DNS): Internet Infrastructure Insecurity By: Eclypsium July 31, 2024

https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/

1. sitting duck

https://eow.alc.co.jp/search?q=%22sitting+duck%22

無防備な[攻撃しやすい・だましやすい]人[獲物・標的]

https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/

We initially thought the attack vector was unpublished. 
Recently we learnt that Matt Bryant had previously described the attack vector in his blog, 

The Hacker Blog, both in August and December 2016.2,3 Two years after his initial advisory, 
Sitting Ducks was used to hijack thousands of domains for use in a series of global spam campaigns that 
included bomb threats and sextortion.4

Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System

1.1. conditions

Attackers can use the Sitting Ducks attack vector under the following conditions and in several variations:

a registered domain or subdomain of a registered domain uses or delegates authoritative DNS services 
to a different provider than the domain registrar; this is called delegation

the delegation is lame,
meaning that the authoritative name server(s) of the record does not have information about the domain and cannot, 
therefore, resolve queries

the authoritative DNS provider is exploitable, 
meaning that the attacker can “claim” the domain at the provider and 
set up DNS records without access to the valid owner’s account at the domain registrar

Variations within this attack include partially lame delegation and redelegation to another DNS provider. Figure 1 shows the conditions for a basic attack.

Lame Delegation + Eploitable Provider = Exploitable Domain

Figure 1. Conditions for a Sitting Ducks Attack

While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known.

Although a Sitting Ducks attack is easy at many popular DNS and website hosting providers, some providers are not exploitable.

1.2. analysis

We performed a large-scale analysis of domain delegations, evaluated about a dozen DNS providers and uncovered widespread use of the attack, most prominently by Russian cybercriminals. Hundreds of domains are hijacked every day, and Infoblox is tracking multiple actors who use this attack.

We found hijacked and exploitable domains across hundreds of TLDs. 
Hijacked domains are often registered with brand protection registrars; 
in many cases, they are lookalike domains that were likely defensively registered 
by legitimate brands or organizations. 

Because these domains have such a highly regarded pedigree, malicious use of them is very hard to detect.

1.3. scenario

Figure 2 depicts a common Sitting Ducks attack scenario. In this example:

    a domain, brand[.]com, is registered with Registrar A by Brand Inc.
    the domain owner, Brand Inc., establishes authoritative DNS services with the provider Auth DNS B, which may optionally be the web hosting provider
    the domain brand[.]com is used by Brand Inc. as a website
    after some time, Brand Inc. no longer actively uses the domain brand[.]com, but retains ownership of the domain name through Registrar A
    the authoritative DNS, or web hosting, service for brand[.]com with Auth DNS B expires
    the attacker creates an account with provider Auth DNS B
    the attacker “claims” the domain brand[.]com
    the attacker creates a fake Brand Inc. website and configures DNS at Auth DNS B to resolve IP address record requests to the fake website address
    the attacker sends phishing emails to victims impersonating Brand Inc.
    the victim is infected with malware
    the legitimate domain owner Brand Inc. attempts to configure DNS records for brand[.]com at DNS provider Auth DNS B and is denied

Figure 2. A common Sitting Ducks attack sequence

Unlike many other types of cybercrime, Sitting Ducks attacks are preventable. The attack is possible because of gaps in how domain names and DNS records are managed, maintained, and authorized. Prevention requires everyone to play a part: domain name holders, registrars, authoritative DNS providers, web hosting providers, standards bodies, government regulators, and the cybersecurity community. Recommendations for addressing the problem are included at the end of this blog.

Our discovery of the Sitting Ducks attack leveraged reporting by Proofpoint, independent research by Randy McEoin, and contributions from David Safley. We are grateful for their information sharing and collaboration. We began ethical disclosure notification shortly after validating the attack vector.

Read the Eclypsium coverage of Sitting Ducks here. Exploitation in the Wild

1.4. discovery

We have discovered over a dozen seemingly different threat actors conducting Sitting Ducks attacks on several exploitable authoritative DNS services. Each of these has some Russian nexus and one might argue that certain DNS providers have become a veritable Russian cybercriminal playground that has been allowed to grow unchecked for years. Our research revealed that the Sitting Ducks vector has been used to hijack over 35k domains since 2018, although the true number is likely much higher. The earliest known threat actor is Spammy Bear, who appears to have begun hijacking domains in late-2018 at GoDaddy. However, many more providers are exploitable, and we have confirmed hijacking on six DNS providers to date.

Often, a single domain was hijacked by different actors over time. Some exploitable DNS providers are being treated in essence as a “domain lending library,” where threat actors use free accounts to “borrow” a domain for 30-60 days at a time. The rotational use by different actors creates additional obfuscation that makes Sitting Ducks hard to detect. In other cases, an actor has hijacked domains at DNS providers that do not offer free accounts. Similarly, while those with free accounts are typically hijacked for short periods of time, we have seen threat actors hold a domain for over a year. Frequently the hijackers host the stolen domains on notorious Russian providers such as Stark Industries and Evil Empire.6 Threat actors have obtained SSL certificates for the domains in many cases, both from free services like Let’s Encrypt and paid services like DigiCert.7 In Table 1 we demonstrate the domain lending library concept as different actors hijacked blizzaktires[.]com over time.

Dates of Use    Malicious IP    Notes
June 11 – July 11, 2022         45.136.49.35    Suspicious porn TDS transmitted through spam
April 4 – May 2, 2023   178.250.243.30  Unknown actor and use
June 11 – June 27, 2024         81.19.135.241   Vacant Viper 404TDS

Table 1. Demonstration of exploitation of blizzaktires[.]com by different actors over time

There are two sets of victims in Sitting Ducks exploitation:

Both types of victims vary widely. While a large percentage of the hijacked domains are owned by large brands, many of them belong to small businesses and individuals. Some were registered by regional and local governments. In many cases, the domains seem to have been configured to auto-renew at the registrar, but the authoritative DNS or hosting services were not renewed. We have even seen actors use the Sitting Ducks vector to hijack domains from other threat actors: there is no honor among thieves.

Once the malicious actor has control of the domain at the name server, they can do whatever they like with it, and analysis of confirmed exploitation indicates that the hijackers have done all manner of bad things.

There are multiple traffic distribution systems (TDSs) operating on stolen domains using the Sitting Ducks attack.8 The operators of a TDS serve a criminal customer base, and the role of a TDS provider, like a traditional ad broker, is to connect potential victims to malware, phishing, or scams that suit their victim profile. In addition to the threat actor behind 404TDS, who we call Vacant Viper, we have seen VexTrio Viper hijack domains at multiple DNS services.9 A special form of TDS, there are multiple malicious link shortening services built on hijacked domains.10

1.5. history Hijacked domains

Vacant Viper began using Sitting Ducks in December 2019, possibly earlier, and has hijacked approximately 2500 domains each year. In addition to use in 404TDS, they use the stolen domains for spam operations and what appears likely to be command and control (C2) domains. VexTrio first hijacked a domain using Sitting Ducks in early 2020, and several of their affiliates also use the attack vector. TDSs are particularly dangerous as they facilitate cybercrime for hundreds of actors. Vacant Viper is known to affiliate with TA571, for which the 404TDS delivered IcedID and other malware.11 VexTrio Viper runs the largest and oldest known TDS with over 165 affiliates including SocGholish and ClearFake. We have discovered multiple other yet unnamed actors using Sitting Ducks to create a TDS.12

Hijacked domains have also been used directly in phishing attacks and scams, as well as large spam systems. One threat actor appears to use the domains exclusively for shipping-related fraud.13 Multiple actors are using the domains to distribute porn or dating related content.14 There is evidence that some domains were used for Cobalt Strike and other malware command and control. Other attacks have used hijacked domains in targeted phishing attacks by creating lookalike subdomains. A few actors have stockpiled hijacked domains for an unknown purpose.

One of the most active threat actors we have discovered hijacks domains from multiple DNS providers. They distribute investment scams through Facebook ads, and possibly other mediums. These ads have targeted over thirty countries and often use lures of government infrastructure programs and investment summits. We intend to publish more about this actor and their history soon – stay tuned!

1.6. A Vulnerable Attack Surface

Sitting Ducks is a pernicious attack that is fundamentally different from other well-publicized techniques designed to take control of domains or subdomains. It requires no access to the registrar and is extremely hard to detect or distinguish from credential theft.

Indeed, Infoblox assumed for several months that the hijacking conducted by an actor we were tracking was due to credential theft at the authoritative DNS provider.

As mentioned in the introduction, the earliest known description of Sitting Ducks was in August 2016 by Matt Bryant. We also unearthed a handful of other reports that included special cases or variations of the attack vector.

Group-IB published a special case of Sitting Ducks via Russian media outlets in November 2020.15 The attack they describe involves a lapse in the web hosting provider service, whereas we have observed Sitting Ducks attacks that abuse vulnerable authoritative DNS providers in addition to web hosting providers.

According to Group-IB’s blog, the attack vector was reported to Russian registrars and 
hosting providers, regional registrars, and unnamed international hosting providers. 
Unfortunately, like Bryant’s alerts in 2016, 
the attack was not picked up by mainstream media, 
or in the Russian case, widely reported to the international community.

Sitting Ducks is only the latest example of how attackers exploit misconfigurations in DNS.

1.7. DNS

While DNS serves as the backbone for internet communication, it is often overlooked as a strategic attack surface. Published attack vectors against DNS may be dismissed as inevitable and not receive the same level of mitigation as a software bug, creating a perfect attack surface for malicious actors. Most recently, a default configuration by Squarespace left domain names acquired from Google vulnerable to hijacking.16

In DNS, a lame delegation occurs when a name server is delegated, or assigned, to provide authoritative DNS records but does not have the information to do so. In certain cases, the registration for the delegated name server may have expired. A lame delegation attack occurs when the malicious actor registers the expired name server’s domain name. In this attack, the actor gains control of all domains that point to that name server. In addition to expired name server domains, this attack can leverage typos made by the domain owner when entering their name server information at the registrar.

Researchers released an extensive study of the lame delegation attack surface in 2021.17

In our research on Sitting Ducks exploitation, we identified multiple active attacks using typosquat name server domains. These attacks require the actor to register a domain but can be very effective, especially when the delegation is only partially lame, meaning that only some of the name servers are incorrectly configured.

While lame delegation attacks take advantage of faulty name server record assignments, these attacks can be generalized to other DNS record types. A dangling DNS record generally refers to a record containing invalid information, typically due to a forgotten configuration. For example, a dangling CNAME attack takes advantage of DNS CNAME records in which the DNS response “redirects” to a domain name whose registration has lapsed. In this attack scenario, the malicious actor registers the lapsed domain and gains pedigree through the forgotten record. Dangling CNAME attacks typically involve subdomains and are considered a type of subdomain hijacking attack. These attacks are actively used by actors and were the subject of recent reporting by Guardio Labs.18 Dangling CNAME attacks require the actor to register a domain.

Other types of dangling DNS records can be used to hijack domains. Where a subdomain points to a cloud resource that is no longer in use, an attacker may be able to gain access to this resource. Certitude Consulting detailed several examples of this attack in a recent report.19 During our research, we found several instances of dangling A records, some dating back more than five years. These attacks require the attacker to gain access to the hosting resource.

Chinese academic researchers have published multiple studies of dangling DNS records and outlined specific methods for identifying exploitable domains. Their papers include dangling CNAME attacks, attacks against cloud hosting providers and special cases of a Sitting Ducks attack. While these papers do not include active exploitation, they do outline the dangers of dangling DNS records and lame delegation.20,21,22

Domain shadowing is another form of attack that might be confused with Sitting Ducks. This type of attack was highlighted by the U.S. Cyber and Infrastructure Security Agency (CISA) in 2018.23 The attack allows the malicious actor to create new DNS records within the valid owner’s account. Domain shadowing attacks require the actor to access the existing account at the registrar or the DNS provider. Domain shadowing attacks rely on credential theft and are fundamentally different from DNS delegation or record attacks.

Finally, in 2021, researchers demonstrated that in certain cloud providers they could poison the DNS resolution path and gain access to sensitive internal DNS traffic. Their work focused specifically on Amazon Web Services (AWS).24 While the researchers did not find active exploitation of the weakness, it highlighted the complexities of delegated name server management for providers. AWS fixed this issue prior to publication, and it has not been reported as a vector for other providers. Recommendations

Neither Infoblox nor Eclypsium offers commercial authoritative DNS service, and our product offerings are not vulnerable to this attack. However, our customers may still be impacted depending on how they have chosen to operate DNS for the domains they register. We recommend that all domain name owners evaluate their risk.

Everyone has a role in stopping Sitting Ducks attacks.

We recommend that all domain name owners evaluate their risk, particularly those who have held domain names for over 10 years. Three factors are required to be at risk for a Sitting Ducks attack. Readers can use Figure 3 to determine if they are at risk. Table 1 provides methods to evaluate and mitigate each of the criteria necessary for successful exploitation. Figure 3. These three questions can help determine if an organization is at risk for a Sitting Ducks attack Exploitation Criteria Evaluation Mitigation Do you use a commercial authoritative DNS provider independent of your DNS registrar? Do you use a website hosting provider independent of your DNS registrar? Check the account at the domain registrar for name server delegation. N/A. External authoritative name server delegation is not inherently a risk. Do you own domains or subdomains with lame name server delegation? These domains or subdomains would point to DNS providers, including hosting providers, where you have no active service agreement. We urge domain owners to review their name server delegations and ensure that they have active service relationships with any DNS providers in the delegation. We are not providing public information that would allow attackers to identify vulnerable domains. Replace lame delegation records at the registrar and/or authoritative name server with updated delegation. Can your DNS or hosting provider be exploited via a Sitting Ducks attack vector? Contact your authoritative DNS or hosting provider to inquire how they mitigate the risks of the Sitting Ducks attack vector. Authoritative DNS providers need explicit measures in place to reduce the risk of these attacks due to their nature. Replace lame delegation records at the registrar and/or authoritative name server with updated delegation.

Encourage your DNS or hosting provider to follow best practices to prevent Sitting Ducks attacks and to publicly document their mitigations. Table 1. Evaluation and mitigation of Sitting Ducks exploitation criteria: successful exploitation requires all three circumstances to occur

While Sitting Ducks attacks cleverly leverage misconfigurations in DNS, those misconfigurations are not impossible to mitigate. Our research found that certain DNS providers were not exploitable even when lame name server delegations existed. These providers had procedures in place that we consider best practices for the industry. We recommend that all authoritative DNS providers, including web hosting providers, incorporate mechanisms to close off the Sitting Ducks attack vector:

DNS providers who cannot implement defensive techniques such as the above can take other measures. For example, they can:

Registrars can:

The TLD servers and others in the resolution chain could thwart attacks by establishing mechanisms to identify and remove lame delegation.

Government organizations, regulators, and standards bodies should consider long-term solutions to vulnerabilities in the DNS management attack surface. Regulators should ensure that organizations within their scope use only providers that can thwart the Sitting Ducks attack vector.

Without cooperation and active effort, Sitting Ducks attacks will continue to rise. This attack already plays a part in cybercrime targeting dozens of countries around the world, costing consumers an untold amount of money and loss of privacy. But the potential threat of these attacks is far greater than what we have uncovered thus far in our research. We encourage readers to help educate others and help ensure that those who can help stop these attacks do so. Footnotes

+2 Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates. View All Posts Primary Sidebar Latest Posts

Blog Categories Archives Subscribe for Update

Subscribe Now By subscribing above, you agree to receive communications from Infoblox Inc. regarding blog updates or Infoblox’s services. You may withdraw your consent at any time. For more details, please refer to our privacy policy or contact us.

}}}

1.8. history


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/SittingDucksAttack (last edited 2024-08-26 11:53:23 by ToshinoriMaeno)