Eight-Year-Old ‘Sitting Ducks’ DNS Vulnerability Exploited for Unchecked Web Domain Hijacking
Tens of thousands hijacked in recent years, with more than 30,000 taken over since 2019, and ‘a million at risk’, according to security companies.
This global Domain Name System (DNS) is so ingrained in the way the web functions that service providers and consumers are going to make sure it’s set up and managed properly.
That’s the theory — now for the reality.
It’s a small number, but not a harmless one, considering that the global DNS system is being carelessly administered badly enough to let several of Russia’s most notorious cybercriminal gangs hijack hundreds of domains a day.
That’s what a security research collaboration between Infoblox and Eclypsium found when they tracked the spread of a small family of DNS hijacking techniques that they nicknamed collectively ‘Sitting Ducks’.
‘We estimate 1M exploitable domains and there are 30k+ hijacked domains we have validated since 2019,’ Eclypsium added in a blog post.
More than a dozen criminal groups were taking advantage of it, Infoblox said, with some domains being targeted by several groups at once. Nearly all had belonged to large companies, and were subsequently used to shill scams of every stripe.
Miraculously, vulnerabilities such as these have been known about for at least eight years, when a researcher wrote two blogs on the subject.
That apparently was enough to make the cloud providers do something, but not much else. Sitting Ducks has reappeared several times since then in various waves of attacks, and continues to this day, while national CERTs are standing by, waiting to read about its latest incarnations in the news.
‘DNS is really the backbone of the Internet, but it unfortunately doesn’t get enough operational attention as a strategic attack surface,’ said Infoblox.
Rogue DNS
DNS is the largely invisible hierarchical system of name servers that enables the web to function. Every time you visit a website (xyz.com), DNS is the system that resolves that name into the address (IP number) understood by internet computers.
It is so important that when your site is slow (or, worse, down), it’s almost certainly DNS screwed up – either under a distributed denial of service (DDoS) attack, or misconfigured.
However, that also means that, if you can compromise the DNS – that is, by pointing at your own server the DNS lookup tables for a particular domain – then you can send any visitors to that domain to your own rogue site.
It’s that potential that accounts for the fact that new methods of undermining DNS turn up with a disturbing frequency; the battle always is to find them before they can cause serious injury.
Perhaps DNS’s greatest challenge is that, while some organisations pay a lot of attention to it, many do not, and there’s no fail-safe mechanism to apply collective remediation in such cases.
Ducking under the radar
Infoblox reported it learned of the DNS vulnerabilities exploited by Sitting Ducks whilst investigating the domains of a Russian criminal traffic distribution system, known as 404TDS. How had the attackers managed to hijack so many domains with no pushback?
DNS hacks tend to fit into only a handful of clearly recognisable types – such as DNS poisoning (tampering with DNS records to redirect visitors to a malicious site), domain shadowing (creating sub-domains to piggyback on a domain’s existing traffic), or CNAME attacks (hijacking lapsed sub-domains registered to the same parent domain).
Sitting Ducks, it turned out, was different, and had to do with weaknesses in the way domains are managed, or not managed – domains would sometimes become ‘lame’.
This is the case when the domain-name owner delegates authoritative DNS to a second provider, such as a legally registered domain being pointed by the registry to a server of a second provider.
But that server is set up incorrectly, and thus can’t resolve a DNS query. Then criminals step in to claim the domain at the second provider, without having to prove that they are the owner, whose records are at the first.
You’d think that would be easy: just turn on authentication at the delegated providers. That sometimes happens, but not always.
‘While these conditions appear very esoteric, they are not … numerous threat actors are actively leveraging this assail vector already, and we anticipate the actual scale of exploitation to be much larger than what is currently known,’ Infoblox said.
Ironically, a large number of the hijacked domains were defensive ones, registered with brand protection registrars to protect against lookalike domains and typosquatters.
That would explain why their lamey status wasn’t detected. Someone who’d observed a popular domain being hijacked would see it instantly. And someone who’d seen one of the brand’s defensive domains being hijacked wouldn’t.
Naming the hack
Probably the most ingenious aspect of this finding is that Infoblox and Eclypsium have branded the weakness with an easily memorable nickname. Security gurus decry this fashion, but there’s an argument that it’s harder to forget to do something about it.
Their recommendations for organizations:
Make sure they’re not using the one provided by their domain registrar as an authoritative DNS provider. That’s riskier.
See whether their domains and subdomains ‘have name server delegation