5 min Security

Sitting Ducks attacks on the rise: domain names hijacked without intrusion

What is a Sitting Ducks attack?

Sitting Ducks attacks on the rise: domain names hijacked without intrusion

Domain names are getting hijacked undetected by Sitting Ducks attacks. The attack occurs without compromising the linked account, which the DNS provider should secure. The damage the attack causes can be extensive: cybercriminals are given the opportunity to spread malware and phishing under the domain name.

DNS providers are the target of Sitting Ducks attacks. Such attacks allow cybercriminals to hijack domain names and then abuse them. Abuse can take the form of malware, phishing campaigns, brand impersonation and data exfiltration. A Cobalt Strike would have already been illegally distributed in this way.

Researchers at Infoblox and Eclypsium investigated this method of attack and discovered active abuse at several DNS providers. This provider shares in the blame by not properly verifying that the person claiming a domain actually controls it. Due to this negligence, attackers can skip the hard part of compromising the account of the domain name possessor. According to the study, over one million domain names are vulnerable at any given time.

Misconfigurations or the wrong DNS provider

One similarity between most of the discovered vulnerable domain names is that the domains were configured to auto-renew at the registrar, while the hosting services were not. In general terms, three factors can be identified that can make a domain name vulnerable to attack. The DNS data may be ‘lame,’ meaning that insufficient information is available about the domain, which prevents the system from handling request requests. In addition, “name server delegation” can cause the vulnerability. Here, a registered (sub)domain uses the DNS service of a provider that is not the registrar.

The third factor is that the DNS provider does not have things in order. Attackers can exploit vulnerable providers and claim a domain name through the DNS provider without logging into the possessor’s account. Those who do their homework naturally do not register their domain names with such providers. Verification is not difficult because a list circulates on GitHub that is regularly updated with the latest information about a DNS provider’s security.

DNS as a vulnerable system

The study on Sitting Ducks shows that the attack is active again. The first mention dates back to 2016. Despite the passage of eight years, DNS and web hosting providers remain vulnerable. Securing this attack vector always caused difficulties. For example, domain names are also hijacked in attacks such as dangling DNS. These attacks can occur on deleted domain names where the deletion was not done thoroughly.

According to the researchers, a sitting duck attack is easier to execute and has a higher success rate. In a dangling DNS, an attacker has to guess whether a domain name has ever been there and whether it was poorly cleaned up. Whereas this type of attack relies on assumptions, a Sitting Duck starts from facts.

Cybercriminals developed these attacks, along with many other types, to address misconfigurations in DNS. Out of the three factors that make a domain name vulnerable, two can be linked to misconfigurations. With the general attitude in this market it is easy to exploit such flaws. Providers too often dismiss bugs in the system as an inevitable consequence of how the infrastructure is put together. In short, protection in this area can and must improve.

Scan or switch the provider

How can a domain name owner ensure that it does not become one of a million vulnerable domain names? First, it is better if the registrar and the DNS provider are managed by the same provider or providers which are linked to each other. This is to prevent “name server delegation”. If this option is ruled out, it is advisable to check whether one of the (sub)domains does not link to service providers with outdated accounts from your company. Finally, it is wise to scan for possible misconfigurations via open-source tools such as the renewed SanicDNS. This tool was developed by Dutch start-up Hadrian and can convert up to five million domain names per second. This exceeds the capacity of MassDNS, which has long been the standard. The tool was recently presented at DEFCON and is available via GitHub.

To properly put the vulnerability in perspective, it is still important to look at the actual number of attacks carried out. The researchers found evidence of 35,000 domain name hijackings between 2018 and 2024. So, in that respect, the number of exploits of the vulnerability appears to be relatively low. However, it is very likely that the researchers did not discover all hijackings, as the attacks are often classified as credential theft. In that case, the domain administrator’s credentials would have been stolen from the DNS provider, but the result is the same.

Lingering problem

The Sitting Ducks attack is a longer-standing method of attack that has been gaining ground again recently. Although exploitation numbers are potentially higher than stated, DNS providers feel little need to address the situation quickly. Researchers at Infoblox and Eclypsium have been working with enforcement agencies and national CERTs to change that since its discovery in June 2024.

Also read: Infoblox SOC Insights brings DNS insights to security teams