Russia-affiliated criminals use Sitting Duck technique to bag 30,000 domains

Since 2019, Russian-affiliated hackers have hijacked an estimated 30,000 domains since 2019, with the cybercriminals exploiting a flaw in DNS.

2

The vulnerability was detailed by security researcher Matt Bryant in 2016, who looked at how the vulnerability led to the hijacking of 120,000 domains. The same problem reared its head again in 2019 with GoDaddy, an internet domain registry, domain registrar, and web hosting company. The 2019 issue led to sextortion attempts and bomb threats.

The technique being used is called Sitting Ducks. It essentially exploits gaps in administrative privileges, enabling cybercriminals to alter domain records without any validation from the owner. Unfortunately, the hijacked domain isn't just damaging for the owner of the domain but also for any visitor to that domain, as hijacked domains are commonly used for phishing, scams, spam, and other illegal activity.

Sitting Ducks Technique

1. A registered domain, or subdomain of a registered domain, uses the authoritative DNS services of a different provider than the domain registrar; this is called name server delegation.
2. A domain is registered with one authoritative DNS provider, and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service.
3. The name server delegation is lame, meaning that the authoritative name server does not have information about the domain and therefore can not resolve queries or subdomains.
4. The DNS provider is exploitable, meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner's account at the domain registrar.