A new threat in the form of ‘Sitting Ducks’ attacks is putting millions of registered domains at risk. Cybercriminals are exploiting vulnerabilities within the Domain Name System (DNS), posing significant risks for domain owners. Here’s an overview of these attacks and measures to mitigate them.
The Sitting Ducks attack leverages weaknesses in the DNS, which translates human-friendly domain names into IP addresses used by devices to identify each other within a network. Researchers from Infoblox and Eclypsium have revealed that this attack vector allows hackers to hijack domain names with relative ease and minimal detection.
Conditions for Sitting Ducks Attacks:
- A registered domain or subdomain delegates authoritative DNS services to a different provider than the domain registrar.
- The authoritative name server lacks data about the domain, failing to resolve queries.
- An attacker can claim the domain at the provider and set up DNS records without accessing the legitimate owner’s registrar account.
Hackers exploit weak authentication protocols, outdated DNS records, and insufficient monitoring to gain control of domain names. Once hijacked, domains can redirect traffic to malicious sites, facilitating phishing attacks or malware distribution.
Security Implications: Researchers estimate that more than 35,000 domains, ranging from personal blogs to large corporate websites, have already been compromised. The simplicity of this attack method means it can be executed even by less experienced hackers, significantly broadening the threat’s scope.
The covert nature of Sitting Ducks attacks is particularly alarming. Domain owners often remain unaware of the hijack, allowing malicious activities to persist longer and potentially causing significant financial and reputational damage. In some instances, hijacked domains have been used to launch cyber attacks and phishing campaigns against other targets.
Mitigation Measures: To safeguard against Sitting Ducks attacks, domain owners should adopt a comprehensive security strategy, including:
- Audits and Monitoring: Regularly audit DNS records for unauthorized changes and use tools that provide real-time alerts on suspicious activities.
- Enable DNSSEC: Implement Domain Name System Security Extensions (DNSSEC) to secure DNS responses against tampering and prevent hijacking.
- Authentication Measures: Employ robust security tools and multi-factor authentication (MFA) to minimize unauthorized access risks.
- Registrar Lock: Activate the registrar lock feature to prevent unauthorized domain transfers, ensuring manual verification for such requests.
- Updating Contact Information: Keep contact details with the domain registrar current to facilitate timely communication about suspicious activities.