Over 1,000,000 domains are prone to takeover by malicious actors by way of what has been referred to as a Sitting Geese assault.
The highly effective assault vector, which exploits weaknesses within the area title system (DNS), is being exploited by over a dozen Russian-nexus cybercriminal actors to stealthily hijack domains, a joint evaluation printed by Infoblox and Eclypsium has revealed.
“In a Sitting Geese assault, the actor hijacks a at present registered area at an authoritative DNS service or website hosting supplier with out accessing the true proprietor’s account at both the DNS supplier or registrar,” the researchers stated.
“Sitting Geese is less complicated to carry out, extra prone to succeed, and more durable to detect than different well-publicized area hijacking assault vectors, resembling dangling CNAMEs.”
As soon as a site has been taken over by the menace actor, it may very well be used for all types of nefarious actions, together with serving malware and conducting spams, whereas abusing the belief related to the respectable proprietor.
Particulars of the “pernicious” assault approach have been first documented by The Hacker Weblog in 2016, though it stays largely unknown and unresolved thus far. Greater than 35,000 domains are estimated to have been hijacked since 2018.
“It’s a thriller to us,” Dr. Renee Burton, vp of menace intelligence at Infoblox, instructed The Hacker Information. “We incessantly obtain questions from potential shoppers, for instance, about dangling CNAME assaults that are additionally a hijack of forgotten data, however we’ve got by no means obtained a query a few Sitting Geese hijack.”
At situation is the inaccurate configuration on the area registrar and the authoritative DNS supplier, coupled with the truth that the nameserver is unable to reply authoritatively for a site it is listed to serve (i.e., lame delegation).
It additionally requires that the authoritative DNS supplier is exploitable, allowing the attacker to assert possession of the area on the delegated authoritative DNS supplier without having entry to the legitimate proprietor’s account on the area registrar.
In such a state of affairs, ought to the authoritative DNS service for the area expire, the menace actor might create an account with the supplier and declare possession of the area, finally impersonating the model behind the area to distribute malware.
“There are various variations [of Sitting Ducks], together with when a site has been registered, delegated, however not configured on the supplier,” Burton stated.
The Sitting Geese assault has been weaponized by totally different menace actors, with the stolen domains used to gasoline a number of site visitors distribution methods (TDSes) resembling 404 TDS (aka Vacant Viper) and VexTrio Viper. It has additionally been leveraged to propagate bomb menace hoaxes and sextortion scams.
“Organizations ought to examine the domains they personal to see if any are lame and they need to use DNS suppliers which have safety towards Sitting Geese,” Burton stated.