Over one million domains have been found to be potentially vulnerable to a “Sitting Ducks” attack, a cyber threat that exploits DNS misconfigurations to hijack domains.
The report, published by Infoblox Threat Intel, suggests that this type of attack, active since 2018, allows threat actors to leverage hijacked domains for malicious activities ranging from malware distribution to phishing.
Domain Name System: A Backbone of the Internet
The Domain Name System (DNS) is a crucial part of the Internet's infrastructure, acting as its "phonebook."
It converts human-readable domain names, such as www.example.com, into machine-readable IP addresses, like 192.0.2.1. This translation allows users to access websites, applications, and online services without needing to remember complex numerical codes. The hierarchical nature of DNS ensures a distributed and scalable system, with domains organized into layers, from top-level domains like .com or .org to subdomains like blog.example.com.
Domains are equally vital, as they provide a recognizable and navigable structure for the internet. They allow businesses and individuals to establish unique online identities and create reliable addresses for services such as websites, emails, and cloud systems.
However, the reliance on DNS and domains also creates vulnerabilities.
DNS hijacking and spoofing attacks can redirect users to malicious websites, threatening online security. Similarly, distributed denial-of-service (DDoS) attacks targeting DNS servers can disrupt access to entire portions of the web.
How Sitting Ducks Attacks Exploit DNS Weaknesses
During a Sitting Ducks attack, cybercriminals manipulate the DNS settings of a domain, typically exploiting an oversight called “lame delegation,” where domains mistakenly point to incorrect authoritative name servers.
Infoblox’s findings indicate that 800,000 domains remain vulnerable, with 70,000 of these already hijacked.
The report underscores that these attacks are relatively simple to execute but challenging for security teams to detect, as the hijacked domains appear reputable to many security systems.
Key Threat Groups
Among the cybercriminals exploiting this technique, groups labeled “Vipers” and “Hawks” stand out.
Vacant Viper, active since 2019, hijacks around 2500 domains each year to support their traffic distribution system (TDS) called 404TDS. This infrastructure is used to run spam operations, distribute malware and establish remote access Trojans. Similarly, Vextrio Viper has operated a TDS network since 2020, linking compromised domains to an affiliate network of over 65 partners, who redirect users to phishing, malware and scam sites.
Infoblox identified additional actors, Horrid Hawk and Hasty Hawk, who use hijacked domains for fraudulent campaigns.
Horrid Hawk, active since February 2023, uses hijacked domains to promote fake government investment schemes across social media platforms worldwide. Hasty Hawk, responsible for hijacking over 200 domains since 2022, uses their domains to conduct phishing campaigns, often spoofing well-known brands like DHL.
Read more on DNS security threat: New DNS-Based Backdoor Threat Discovered at Taiwanese University
Impact and Prevention of Sitting Duck Attacks
Infoblox explained that the impact of Sitting Ducks attacks affects various groups: Organizations with hijacked domains suffer reputational damage; individuals face risks of malware or credential theft; and security teams struggle to maintain effective defenses against increasingly stealthy threats.
While these attacks are difficult to detect, they can be prevented with proper DNS configuration and oversight.
Infoblox urged domain owners, DNS providers and registrars to regularly review configurations to mitigate these risks. The report also emphasized that increased awareness and cooperation across the cybersecurity community are essential for addressing and reducing the threat posed by Sitting Ducks attacks.