Getty Images
Infoblox: 800,000 domains vulnerable to hijacking attack
While the 'Sitting Ducks' attack vector continues to pose a problem, Infoblox says domain registrars, DNS providers and government bodies remain inactive.
Infoblox warned that threat actors are increasingly exploiting misconfigured DNS name servers to hijack domains using a technique that's difficult for victims to detect.
The network security vendor published a new report Thursday titled "DNS Predators Attack: Vipers and Hawks Hijack Sitting Ducks." The report expands on an attack vector dubbed "Sitting Ducks" that Infoblox and Eclypsium initially disclosed in July. During these attacks, threat actors take advantage of DNS configuration flaws to gain full control of a domain.
After gaining control of vulnerable domains for major companies such as McDonald's and Paramount Global, threat actors pose as the legitimate domain owners and use the domains to deliver malware, conduct phishing campaigns and exfiltrate data. While Sitting Ducks continues to be a prevalent attack vector, Infoblox said it's widely overlooked by domain registrars, DNS providers and government organizations.
"Since our initial publication, we have identified nearly 800k vulnerable registered domains. Roughly nine percent (70k) of those vulnerable domains were subsequently hijacked. We know these numbers do not accurately reflect the attack surface: they are derived from a limited monitoring system," Infoblox wrote in the new report.
Infoblox said the true number of vulnerable domains is likely much higher because it did not include subdomains. The report warned that attackers can hijack domains without using credential theft or gaining access to the domain owner's registrar account. Instead, Sitting Ducks attacks take advantage of misconfigured DNS settings for vulnerable domains where DNS points to the incorrect name server.
While conducting the research, Infoblox discovered more than a dozen independent actors who were exploiting Sitting Ducks attacks. Though independent, the actors cooperate and share knowledge of vulnerable domains. Due to the ease of the attack vector, the observed attackers ranged in technical levels up to advanced persistent threat actors and were primarily Russian.
The report addressed many of those threat actors, including one whom Infoblox dubbed "Vacant Viper." Infoblox said Vacant Viper operates a criminal traffic distribution system that Proofpoint researchers track as "404TDS." After Infoblox discovered widespread domain hijacking connected to 404TDS, the company conducted additional research with Eclypsium to determine how it occurred.
"We discovered that misconfigured DNS name servers were the common factor in all of the hijackings and that we could take over misconfigured domains at certain providers with a few button clicks. Even though we are DNS threat experts, this was new to us," the report said.
The report clarified that Vacant Viper refers to the actor who hijacks domains for 404TDS. Infoblox researchers found that Vacant Viper frequently operates under the guise of a compromised McDonald's domain that the fast-food giant has not addressed.
"One domain that Vacant Viper hijacked and used in the 404TDS is mcpennsylvania[.]com, a domain registered by McDonalds with corporate registrar CSC Corporate Domains and assigned to name servers on DNS Made Easy, a subsidiary of DigiCert. Vacant Viper has hijacked this domain repeatedly over the last few years, and it has a lame delegation as of this writing," the report said.
Lame delegation is a critical ingredient of Sitting Ducks and a consistent problem that Infoblox discovered among some registrars. Organizations with registered domains or subdomains can delegate authoritative DNS services to a provider other than the domain registrar. Lame delegation occurs when authoritative name servers delegated to provide DNS information cannot respond to queries because the servers lack the information. Threat actors can exploit lame delegation by simply claiming these domains at vulnerable DNS providers and configuring new DNS records.
Several factors can lead to lame delegation, such as when name servers become unavailable, aren't properly updated or are decommissioned. However, Infoblox said many of these incidents are the result of misconfigurations at the registrar level. The report said "registrars create a lame delegation for new domain registrations by forcing a name server setting to be configured before the DNS provider records are established." That creates a time period where security protocols are lacking, and threat actors can launch Sitting Ducks attacks.
"While Sitting Ducks attacks are easy to perform and difficult to detect, they are also entirely preventable with correct configurations at the domain registrar and DNS providers," the report said.
Renée Burton, vice president of threat intelligence at Infoblox, told TechTarget Editorial that lame delegation occurs frequently. In the case of McDonald's, she said she believes that attackers abused the 30-day free trial period that DigiCert and other companies offer. Though difficult to prove, she has observed the attack pattern with other organizations as well.
Sitting Ducks attacks observed since 2016
Infoblox repeatedly highlighted Sitting Ducks' longevity. The report said security researcher Matt Bryant initially described the attack vector, which Infoblox later dubbed Sitting Ducks, in 2016. Infoblox added that cybercriminals have leveraged the vector since 2018 against a variety of sectors including government entities.
Researchers stressed that despite increasingly widespread exploitation, Sitting Ducks attacks are underreported.
"There are several variants of this type of attack, none of which requires compromising legitimate DNS infrastructure, thereby making it fundamentally different from better-known DNS hijacking techniques," the report said.
Infoblox said mitigating Sitting Ducks attacks requires cooperation among DNS providers, registrars, governments and standards bodies.
The report said agencies like CISA prioritize software vulnerabilities over misconfigurations, which do not qualify for CVEs. That results in a lack of awareness and proactive measures against misconfigurations like lame delegation.
Compounding the problem is the lack of response from affected domain registrars and DNS providers.
"An all-too-common reaction is to point the finger back to the domain holder for ultimate responsibility to maintain their domain configurations," the report said. "This may be true, but at the same time, both registrars and DNS providers can play a critical role in reducing cybercrime by making these types of hijacks harder to perform or easier to remediate. During our research, we reported Sitting Ducks hijackings to both registrars and DNS providers, but it was largely dismissed and not actioned, even though we provided evidence of the attacks."
Burton told TechTarget Editorial that she was disappointed with the lack of response from affected parties. "There's only a handful of providers who make up most of the problem, and they've chosen for commercial reasons not to make any changes. If a couple of them changed, 80% of the problem would go away," she said.
Burton echoed the report and called on CISA to reconsider how it classifies vulnerabilities. She said CISA mainly considers vulnerabilities as bugs in software, but emphasized that there's a whole spectrum of vulnerabilities that rely on some version of a protocol.
"There's a gap in the protocol or how we implement the protocol, and we tend to call that a configuration issue, which undermines the actual depth of it," Burton said. "Strategically, we don't have enough attention paid to these kinds of issues, and in fact, they're being heavily used, primarily by Russians."
Regarding registrars, Burton said she would like to see a change in autorenewal processes. She said Infoblox observes many cases where a domain or subdomain, particularly through mergers and acquisitions, runs on autorenewal and gets lost in the shuffle.
Burton highlighted Paramount as one vendor the problem affects.
"You could check whether that domain has a lame name server, and if so, proactively pull it back to the registrar," she said. "The problem is you've got a break between these two entities, so if it just pointed to the registrar, no one could take it over."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.