Ducks Now Sitting (DNS)

Chronicle

2024: Cybercriminals hijacked 35,000 domains without access to a scientific record using an entirely new method

On July 31, 2024, information security specialists from Infoblox and Eclypsium reported that cybercriminals seized over 35 thousand domains without access to the scientific records of their owners. A large-scale attack called Ducks Now Sitting (DNS), or Sitting Ducks, is said to endanger more than 1 million domains every day.

Unsplash

As part of the Sitting Ducks cyber campaign, attackers exploit configuration flaws at the registrar level and insufficient verification of ownership rights from DNS providers. Although the problems that make the attack possible were first documented by Snap security engineer Matthew Bryant in 2016, this method is still an easy and effective way to capture domains. The attack may be carried out under the following conditions:

· A registered domain either uses or delegates authoritative DNS services to a provider other than the registrar;

· DNS provider allows you to claim a domain without proper verification of ownership and without access to the owner's account;

· The authoritative name server does not have domain information and therefore cannot resolve requests.

As Infoblox notes, cybercriminals can use the Sitting Ducks attack on domains using authoritative DNS services of a provider other than the registrar. If the registration of the authoritative DNS service or web hosting of the target domain expires, an attacker can claim rights to it by creating an account with the DNS service provider. As a result, cybercriminals are able to create malicious sites on the domain and configure DNS settings for resolving at a fake address. Moreover, the legal owner will be deprived of the opportunity to change DNS records.^[1]

Notes