Threat actors have hijacked more than 35,000 registered domains in so-called setting-dux attacks that allow a domain to be claimed without access to the DNS provider or registrar owner’s account.
In a setting-dux attack, cybercriminals exploit configuration flaws at the registrar level and insufficient ownership verification at DNS providers.
Researchers at DNS-focused security vendor Infoblox and firmware and hardware protection company Eclipsem discovered that there are more than a million domains that can be hijacked every day via setting-dux attacks.
A number of Russian cybercrime groups have been using this attack vector for years and are exploiting hijacked domains in spam campaigns, scams, malware delivery, phishing, and data extraction.
Details of the sitting duck
Although the problems that make sitting ducks possible were first documented in 2016. [1, 2] by the Matthew BryantA security engineer at Snap, attack vectors are an easier way to hijack domains than other known methods.
The following conditions are required for the attack to be possible.
– The registered domain either uses authoritative DNS services or is assigned to a provider other than the registrar.
– The authoritative name of the record cannot resolve server queries because it lacks information about the domain (lame delegation).
– The DNS provider needs to allow the domain to be claimed without validating ownership or requiring access to the owner’s account.
Variations of the attack include partially lame delegation (not all name servers are misconfigured) and redirection to another DNS provider. However, if lame delegation and exploit provider conditions are met, the domain can be hijacked.
Infoblocks Explains that attackers can use the setting-dux method on domains that use authoritative DNS services from a provider that is different from the registrar, such as a web hosting service.
If the authoritative DNS or web hosting service for the target domain expires, the attacker can claim it after creating an account with the DNS service provider.
A threat actor can now set up a malicious website under the domain and configure DNS settings to resolve IP address record requests to the spoofed address. And the legitimate owner will not be able to modify the DNS records.
Attacks in the jungle
Infoblocks And Clips report that they have seen a number of threat actors exploiting the Setting Ducks (or Duck Now Setting – DNS) attack vector since 2018 and 2019.
Since then, there have been at least 35,000 domain hijacking cases using this method. Cybercriminals generally held domains for a short period of time, but there were cases where they held them for up to a year.
There have also been cases where the same domain was hijacked by multiple threat actors in quick succession, who used it in their operations for one to two months and then moved on.
GoDaddy (which has not been vulnerable to these attacks since 2019) has been confirmed to be vulnerable to setting-dux attacks, but researchers say there are six DNS providers that are currently vulnerable.
The observed clustering of activities benefiting sitting ducks is summarized as follows:
- “Spammy Bear” – Hijacked GoDaddy domains in late 2018 for use in spam campaigns.
- “Empty wiper“- started using SettingDucks in December 2019, and since then has done 2,500 hijacks annually, used in 404TDS systems that distribute IcedID, and set up command and control (C2) domains for malware. .
- “Wax Trio Viper“- Started using SettingDucks in early 2020 to use domains. Mass Traffic Distribution System (TDS) which facilitates SocGholish and ClearFake operations.
- Nameless actor – Many small and unknown threat actors creating TDS, spam distribution, and phishing networks.
Defensive points
Domain owners should regularly review their DNS configurations for lame delegations, especially on older domains, and update delegation records at a registrar or authoritative name server with appropriate, active DNS services.
Registrars are advised to actively check for lame delegations and alert owners. They should also ensure that a DNS service is established before name server delegation is propagated.
Ultimately, regulators and standards bodies should develop long-term strategies to address DNS vulnerabilities and pressure DNS providers under their jurisdiction to take further action to mitigate sitting duck attacks.