August 2, 2024 at 05:00AM
DNS providers’ inadequate verification of domain ownership puts over one million domains at risk of hijacking, leading to brand impersonation, data theft, malware delivery, and phishing. The “Sitting Ducks” attack, discovered in 2016, continues to be exploited, allowing cybercriminals to hijack domains without detection. Recommendations are provided for domain owners and DNS service providers to mitigate this risk.
The meeting notes highlight a significant cybersecurity risk related to the weak or nonexistent verification of domain ownership by DNS providers, which puts over one million domains at risk of hijacking. This issue has already resulted in the hijacking of more than 35,000 domains over the past six years, leading to brand impersonation, data theft, malware delivery, and phishing.
The attack vector, known as the Sitting Ducks attack, is being exploited by over a dozen Russian-nexus cybercriminal actors and is made possible by incorrect configurations at the domain registrar and lack of sufficient preventive measures at the DNS provider. The attackers are able to hijack domains without being noticed, utilizing various techniques such as name server delegation, lame delegation, and exploitable DNS providers.
The cybersecurity firms emphasize the need for domain owners to ensure that they do not use an authoritative DNS provider different from the domain registrar, validate accounts used for name server delegation, and confirm that their DNS providers have deployed mitigations against this type of attack. Additionally, DNS service providers are advised to verify domain ownership for claiming accounts, ensure that newly assigned name server hosts are different from previous assignments, and prevent account holders from modifying name server hosts after assignment.
The Sitting Ducks attack is highlighted as an easier, more likely to succeed, and harder to detect form of domain hijacking compared to other well-known attack vectors. It is currently being broadly used to exploit users globally.
The notes also reference related incidents and vulnerabilities, indicating the broader impact and relevance of this cybersecurity risk.