In a span of less than six months, cybercriminals have seized control of 70,000 domains from an estimated 800,000 that are susceptible to a straightforward ‘Sitting Ducks’ attack. Security experts had previously cautioned that such attacks were on the horizon unless domain owners applied a simple remedy. Unfortunately, very few owners took action.
In July 2024, researchers from Infoblox Threat Intel brought attention to the underreported and easily exploitable Sitting Ducks vulnerability, which impacts millions of websites. Since that time, at least 70,000 domains monitored by researchers have been compromised by attackers.
Among the affected domains are those associated with prominent entities such as CBS Interactive, McDonald’s Corporation, JM Eagle, and Mississippi Baptist Health Systems. A recent report also indicated that Missouri.com was among the hijacked sites.
Infoblox Threat Intel noted that the victimized domains encompass well-known brands, non-profit organizations, and government agencies. The attackers exploit misconfigurations in the DNS settings of specific domains. These attacks are relatively simple to carry out and challenging to detect. However, the configuration flaw, referred to as ‘lame delegation,’ has not been classified as an official CVE (Common Vulnerability and Exposure) by relevant authorities.
Some of the hijacked websites change ownership frequently as various threat actors vie for control, stealing the same domains from one another.
How does it work?
As previously reported by Cybernews, the Sitting Duck attack necessitates certain conditions to be met. Initially, the domain name must be registered with one registrar, while a different provider manages the DNS services associated with that domain. Furthermore, the delegation must be characterized as ‘lame,’ indicating that the DNS server lacks the necessary information to resolve the website’s address.
Importantly, the DNS provider must be susceptible to exploitation, enabling attackers to assert control over the domains and establish new DNS records without needing access to the legitimate owner’s account. It has been observed that misconfigured DNS name servers are prevalent, allowing malicious entities to seize complete control of the domain by altering its DNS settings.
The researchers caution that it is estimated that over one million registered domains are at risk of a Sitting Duck attack on any given day. The majority of the vulnerable domains identified have their name servers linked to a limited number of DNS providers. Cybercriminals often hijack domains with established reputations to create infrastructure for additional cyberattacks, as this tactic helps them avoid detection. Consequently, visitors may be redirected to servers controlled by attackers, where malicious content is disseminated.
Cybercriminals frequently exploit free online services, such as DNS Made Easy, to temporarily host domain names for a period of 30 to 60 days. Once the free service period concludes, the domains become ‘lost’ and are subsequently claimed by other attackers. This attack vector can be entirely mitigated through proper configurations at both the domain registrar and DNS provider levels.
According to Infoblox, DNS misconfigurations arise from various oversights, and multiple stakeholders can contribute to their resolution. Domain holders are responsible for their domain configurations, while both registrars and DNS providers can implement measures to make such hijacks more difficult and facilitate remediation.
The researchers identified two primary threat actors exploiting this vulnerability. The first, referred to as Vacant Viper, reportedly steals approximately 2,500 domains annually for use in spam operations.
