01 August 2024Ravi LakshmananVulnerability/vulnerability intelligence

Domain Hijacking Techniques

More than a million domains are at risk of being taken over by malicious actors known as Sitting duck attack

The powerful attack vector, which exploits Domain Name System (DNS) vulnerabilities, is being used by more than a dozen Russian-linked cybercriminal actors to stealthily hijack domains, a common Analysis Infoblocks And Clips What is disclosed?

“In a sitting duck attack, the actor hijacks an existing registered domain without gaining access to an authentic DNS service or the real owner’s account at the web hosting provider. DNS provider or registrar,” the researchers said.

“Sitting ducks are easier to execute, more likely to succeed, and harder to detect than other popular domain hijacking attack vectors, e.g. Dangling CNAMEs

Cyber ​​security

Once a domain is in the hands of a threat actor, it can be used for all kinds of nefarious activities, including serving malware and spamming, while abusing the trust associated with the legitimate owner. to do

There were details of the “malicious” attack technique. The first Documentary via The Hacker Blog in 2016, though it remains largely unknown and unresolved to this day. It is estimated that more than 35,000 domains have been hijacked since 2018.

“It’s a mystery to us,” Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. “We often receive questions from potential clients about, for example, hanging CNAME attacks that are also a forgotten records hijack, but we’ve never received a question about a setting-dux hijack. “

The problem is domain registrar misconfiguration and insufficient ownership verification at the authoritative DNS provider, along with the fact that the name server is unable to provide an authoritative answer for the domain it is registered to serve (ie, Lame delegation).

spot image sitting duck fig 2

It also requires that the authoritative DNS provider be exploitable, allowing an attacker to claim ownership of a domain while the domain registrar does not have access to the correct owner’s account.

In such situations, should the authoritative DNS service for the domain expire, a threat actor can create an account with the provider and claim ownership of the domain, ultimately behind the domain to distribute malware. Can impersonate a brand.

Cyber ​​security

“There are many variations. [of Sitting Ducks]including when the domain is registered, assigned, but not configured at the provider,” Burton said.

Sitting duck attacks have been weaponized by a variety of threat actors over the years, using stolen domains in various traffic distribution systems (TDSes) such as 404 TDS (aka Vacant Viper) and Wax Trio Viper. It has also been exploited. preaching Bomb threat hoaxes and sexual exploitation scams, an activity cluster tracked as spammy bear.

“Organizations should check their domains for lame ones and use DNS providers that have protection against setting ducks,” Burton said.

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.





Source link