June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
North Korean APT Kimsuky aka Black Banshee – Active IOCs
August 2, 2024
CryptBot Trojan – Active IOCs
August 2, 2024
North Korean APT Kimsuky aka Black Banshee – Active IOCs
August 2, 2024
CryptBot Trojan – Active IOCs
August 2, 2024
Severity
High
Analysis Summary
An attack known as a Sitting Ducks attack has the potential to take over a million domains by threat actors. Over a dozen cybercriminals with a Russian connection are using the potent attack vector—which takes advantage of DNS vulnerabilities—to surreptitiously take over domains.
Cybersecurity researchers said, “In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner's account at either the DNS provider or registrar.”
Compared to other well-known domain hijacking attack vectors, like dangling CNAME attacks, Sitting Ducks is simpler to execute, more likely to be successful, and more difficult to identify. Once a threat actor has gained control of a domain, it can be used for a variety of malicious activities, such as sending spam and distributing malware, all the while misusing the genuine owner's trust. The malicious attack technique's details were initially recorded in 2016, however as of right now, most of them are still unknown and unsolved. Since 2018, the estimated number of hijacked domains is over 35,000.
The problem lies in the nameserver's inability to respond authoritatively for a domain it is listed to serve, as well as the improper configuration at the domain registrar and insufficient ownership verification at the authoritative DNS provider (i.e., lame delegation). For the attacker to claim ownership of the domain at the delegated authoritative DNS provider without having access to the legitimate owner's account at the domain registrar, it is also necessary for the authoritative DNS provider to be vulnerable.
Over time, many threat actors have weaponized the Sitting Ducks attack, using the stolen domains to power various traffic distribution systems (TDSes) like VexTrio Viper and 404 TDS (also known as Vacant Viper). Additionally, it has been used to spread bomb threat hoaxes, an activity cluster known as Spammy Bear. Businesses should utilize DNS providers with anti-Sitting Ducks security and evaluate their domains to see if any are affected.
Impact
- Identity Theft
- Reputational Damage
- Exposure of Sensitive Data
Remediation
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
