Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

General Announcements

Reply

Infoblox Threat Intel Alert
ThomasWilimitis
Community Manager
Community Manager
Posts: 4

2 weeks ago

286     0

Infoblox Community Members,

 

On Wednesday, July 31, a threat advisory was released by Infoblox Threat Intel.

 

Infoblox Threat Intel, in collaboration with Eclypsium, identified a DNS hijacking attack being

actively exploited that may affect our customers. We have dubbed the attack vector ‘Sitting Ducks.’

Infoblox products are not vulnerable to this attack. It is a by-product of certain misconfigurations

in DNS that, if left uncorrected, could allow an attacker to gain complete control of a customer’s

domain names. Read the details on the Infoblox blog.

 

The vulnerability relies on lame delegations. A lame delegation exists where the NS records in a

parent zone delegate a child zone to DNS servers that are not authoritative for the child zone or that

don’t exist at all.

 

The vulnerability is limited to lame delegations to DNS hosting providers on the Internet. Some of

these providers allow any party to register for an account and create zones without validating that

these zones are owned by or associated with the party. If a malicious actor identifies a lame

delegation to such a DNS hosting provider, he or she can create an account and create the

previously lame child zone on the provider’s DNS servers, gaining control of the zone. This, in turn,

would enable the malicious actor to use the zone to impersonate the real owner of the zone, sending

phishing email messages as the owner, luring users to malicious websites, and so on. Infoblox

Threat Intel has determined that over a dozen Russian cybercriminal actors have used Sitting Ducks

attacks to hijack domains since December 2018.

 

Identifying and Correcting Lame Delegations

It is important to identify any lame delegations your organization may have. This might involve

compiling a list of domain names your organization has registered, looking up the NS records for

those domain names, and sending queries to the DNS servers listed in those NS records to

determine whether they’re answering authoritatively.

 

Infoblox Threat Intel has created a script to check domain names to determine whether they are

lame. This script is exclusively available to our customers and can be requested through your

account team. It runs only on macOS and Linux.

 

Any lame delegations identified are configuration errors and can be corrected by:

  • removing the lame NS records if the delegation is not needed,
  • changing the NS records to delegate to DNS servers that are authoritative for the zone, or
  • configuring the lame DNS servers so that they’re authoritative for the zone

 

Sign Up for Important Infoblox Updates

If you found this advisory valuable and would like to receive similar threat intel updates or Infoblox

communications, click here and fill out the online form.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You