Sitting Ducks DNS Attack Hijacks 35,000 Domains

Cybercriminals have been exploiting a DNS attack technique known as Sitting Ducks since at least 2019 to facilitate malware delivery, phishing, brand impersonation, and data exfiltration.

This widespread DNS vulnerability affects multiple providers, enabling attackers to hijack domains undetected.

Security researchers from Infoblox and Eclypsium have uncovered this critical flaw, revealing that it impacts approximately one million domains, with over 35,000 confirmed hijackings due to inadequate domain verification by DNS providers.

Technical Analysis

The Sitting Ducks attack is actively being exploited for malware distribution, brand impersonation, data theft, and phishing.

Security teams at Infoblox and Eclypsium are working closely with law enforcement agencies and national CERTs to address this serious security threat.

Originally reported in 2016, the Sitting Ducks attack remains a widely used technique targeting vulnerabilities in the DNS infrastructure.

This method allows hackers to seize control of domains without compromising the owners' accounts at registrars or DNS providers.

Exploiting DNS Misconfigurations:
Attackers take advantage of misconfigurations within domain delegation, particularly "lame" delegations, to wrestle control of domains from vulnerable DNS providers.

The persistence of this attack underscores the need for improved DNS security practices and stronger verification mechanisms to prevent large-scale domain hijacking.