35,000 Domains Hijacked by Hackers in Sitting Ducks DNS Attack
Security experts from Infoblox and Eclypsium are warning about the Sitting Ducks DNS attack (also known as Ducks Now Sitting β DNS), which threatens over a million domains every day. According to researchers, hackers have already hijacked 35,000 domains, as Sitting Ducks allows attackers to claim ownership of a domain without accessing the ownerβs account at the DNS provider or registrar.
The Sitting Ducks attack exploits configuration issues at the registrar level and insufficient ownership verification by DNS providers. Problems related to Sitting Ducks were first documented back in 2016 by Snapβs Matthew Bryant. However, even years later, this attack vector remains a simple and effective way to hijack domains.
Researchers note that numerous Russian-speaking hacker groups have been using this tactic for years, leveraging hijacked domains for spam campaigns, fraud, malware delivery, phishing, and data theft.
How the Sitting Ducks Attack Works
To carry out a Sitting Ducks attack, the following conditions must be met:
- A registered domain or subdomain uses authoritative DNS services from a provider other than the domain registrar (this is called name server delegation);
- The domain is registered with one authoritative DNS provider, but the domain or subdomain is configured to use another DNS provider;
- Name server delegation is broken, meaning the authoritative name server has no information about the domain and cannot resolve queries or subdomains;
- The DNS provider allows someone to claim a domain without proper ownership verification and without access to the ownerβs account.
Variants of the Sitting Ducks attack are also possible in cases of partial delegation issues (not all name servers are misconfigured) and re-delegation to another DNS provider.
Attack Implementation and Consequences
Infoblox experts explain that attackers can use the Sitting Ducks attack on domains that utilize authoritative DNS services from a provider different from the registrar (such as a hosting provider). If the authoritative DNS or hosting registration for the target domain expires, attackers can claim the domain by creating an account with the DNS provider. This allows them to create malicious sites on the domain and configure DNS settings to resolve to fake addresses. The legitimate owner loses the ability to change DNS records.
Once a domain is hijacked, it can be used for various fraudulent activities, including malware distribution, spam, and more.
Scale and Notable Incidents
Researchers observed many attackers exploiting the Sitting Ducks issue in 2018 and 2019. Since then, at least 35,000 domain hijackings using this technique have been recorded. Typically, attackers held domains for a short period, but in some cases, they retained control for up to a year. There have also been instances where multiple groups took turns hijacking the same domain, each using it for one to two months before passing it on.
It has been confirmed that GoDaddy was one of the victims of Sitting Ducks attacks, but researchers state that at least six DNS providers remain vulnerable to this problem.
Threat Actor Clusters Exploiting Sitting Ducks
Currently, the following threat clusters are known to exploit Sitting Ducks:
- Spammy Bear β Hijacked GoDaddy domains in late 2018 for spam campaigns;
- Vacant Viper β Began using Sitting Ducks in December 2019 and annually hijacks about 2,500 domains, which are used in the 404TDS system to spread IcedID malware and create command-and-control domains for malicious software;
- VexTrio Viper β Started using Sitting Ducks in early 2020 to leverage domains in a large-scale Traffic Distribution System (TDS) involved in SocGholish and ClearFake operations;
- Unknown groups β Several smaller, lesser-known attackers who create their own TDS, spread spam, and conduct phishing.
Recommendations for Domain Owners and Registrars
Experts recommend that domain owners regularly check their DNS configurations for delegation issues (especially on older domains) and update delegation records with the registrar or authoritative name server as needed.
Registrars, in turn, are advised to proactively check for broken delegations and notify domain owners about any issues.