Cybersecurity researchers from Infoblox and Eclypsium have discovered a critical vulnerability within the Domain Name System (DNS) that is currently being exploited by Russian cybercriminals to take over legitimate websites.
Dubbed the ‘Sitting Ducks’ attack, the method is being used by more than a dozen Russian-affiliated threat actors to hijack domain names.
The issue, first noted in 2016, has seen a resurgence this year, and since its rediscovery, the two companies have collaborated with law enforcement and national Computer Emergency Response Teams (CERTs).
Sitting Duck attacks are on the rise
The Sitting Ducks attack targets DNS providers through a combination of lame delegation and insufficient validation of domain ownership, allowing attackers to claim domains at DNS providers without needing access to the legitimate owner’s account.
The research highlights the alarmingly common nature of exploitable domains, with more than one million vulnerable targets on any given day.
Moreover, the researchers say that the method is easy to perform and difficult to detect, but importantly for potential victims, it’s also entirely preventable.
After hijacking a currently registered domain by exploiting vulnerable DNS providers, an attacker can conduct a range of malicious activities, including malware delivery, phishing campaigns, brand impersonation and data exfiltration.
For the most part, the attack remains largely unknown and is harder to detect than other domain-hijacking methods like dangling CNAMEs.
Recommendations for preventing the Sitting Ducks attack include ensuring DNS providers require domain ownership verification and monitoring for lame delegations.
Furthermore, Infoblox and Eclypsium are to present their findings and further details at the upcoming BlackHat conference, offering an opportunity for the cybersecurity community to address the threat.
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/MPkj3oeWqXSyUdzLAcGvxF-1200-80.jpg
Source link
