- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Infoblox Threat Intel Alert
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2024 02:33 PM
Infoblox Community Members,
On Wednesday, July 31, a threat advisory was released by Infoblox Threat Intel.
Infoblox Threat Intel, in collaboration with Eclypsium, identified a DNS hijacking attack being
actively exploited that may affect our customers. We have dubbed the attack vector ‘Sitting Ducks.’
Infoblox products are not vulnerable to this attack. It is a by-product of certain misconfigurations
in DNS that, if left uncorrected, could allow an attacker to gain complete control of a customer’s
domain names. Read the details on the Infoblox blog.
The vulnerability relies on lame delegations. A lame delegation exists where the NS records in a
parent zone delegate a child zone to DNS servers that are not authoritative for the child zone or that
don’t exist at all.
The vulnerability is limited to lame delegations to DNS hosting providers on the Internet. Some of
these providers allow any party to register for an account and create zones without validating that
these zones are owned by or associated with the party. If a malicious actor identifies a lame
delegation to such a DNS hosting provider, he or she can create an account and create the
previously lame child zone on the provider’s DNS servers, gaining control of the zone. This, in turn,
would enable the malicious actor to use the zone to impersonate the real owner of the zone, sending
phishing email messages as the owner, luring users to malicious websites, and so on. Infoblox
Threat Intel has determined that over a dozen Russian cybercriminal actors have used Sitting Ducks
attacks to hijack domains since December 2018.
Identifying and Correcting Lame Delegations
It is important to identify any lame delegations your organization may have. This might involve
compiling a list of domain names your organization has registered, looking up the NS records for
those domain names, and sending queries to the DNS servers listed in those NS records to
determine whether they’re answering authoritatively.
Infoblox Threat Intel has created a script to check domain names to determine whether they are
lame. This script is exclusively available to our customers and can be requested through your
account team. It runs only on macOS and Linux.
Any lame delegations identified are configuration errors and can be corrected by:
- removing the lame NS records if the delegation is not needed,
- changing the NS records to delegate to DNS servers that are authoritative for the zone, or
- configuring the lame DNS servers so that they’re authoritative for the zone
Sign Up for Important Infoblox Updates
If you found this advisory valuable and would like to receive similar threat intel updates or Infoblox
communications, click here and fill out the online form.