‘Sitting Ducks’ Attacks Put a Million Domains at Risk

November 20, 2024 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

An underreported cyber-attack vector, known as “Sitting Ducks,” is reshaping how cybercriminals compromise domains.

Highlighted in a recent Infoblox Threat Intel report, this attack takes advantage of DNS misconfigurations to hijack domains—making them a prized target for malicious activities.

The alarming findings reveal over 1 million registered domains may be vulnerable, with 70,000 confirmed hijackings.

These attacks are easy to execute yet hard to detect, leaving businesses, nonprofits, and even government entities exposed.

The Mechanics: Exploiting DNS Weaknesses

The Sitting Ducks attack exploits misconfigured DNS settings—commonly known as “lame delegations.”

In simple terms, these vulnerabilities arise when DNS servers fail to properly resolve domain queries, allowing attackers to claim and manipulate the domain.

Unlike traditional credential theft or registrar breaches, this method requires minimal effort and flies under the radar of existing detection protocols.

The misconfigured domains are then weaponized for a range of malicious activities, including:

Phishing campaigns

Traffic Distribution Systems (TDS) that reroute users to harmful content

Hosting malware like AsyncRAT and DarkGate

Profiles of Cyber Predators: Vipers and Hawks

The Infoblox report profiles threat actors exploiting Sitting Ducks vulnerabilities:

Vacant Viper: Operating since 2019, this actor hijacks domains to distribute spam, pornography, and Remote Access Trojans (RATs). Their infrastructure supports advanced TDS, allowing the spread of malware undetected.

Vextrio Viper: Known for its massive cybercriminal affiliate programs, Vextrio specializes in routing compromised traffic for malware, phishing, and scams.

Horrid Hawk: Leveraging hijacked domains for investment fraud, this actor uses short-lived Facebook ads and multi-language campaigns targeting individuals globally.

Hasty Hawk: Operating phishing campaigns mimicking DHL shipping pages or fake donation sites for Ukraine relief, Hasty Hawk employs advanced techniques to exploit geolocation and user behavior.

A Costly Aftermath: Who Pays the Price?

The fallout from Sitting Ducks attacks extends beyond the immediate victim:

Organizations: Face reputation damage and operational downtime.

Individuals: Unknowingly engage with compromised domains, leading to credential theft or malware infections.

Security Teams: Struggle to combat trusted domains hosting malicious activity, incurring significant recovery costs.

The Path Forward: Mitigation and Awareness

While challenging to detect, these attacks are entirely preventable through proper DNS configuration and proactive measures:

Domain holders must review DNS settings regularly.

Registrars and DNS providers should implement safeguards to prevent hijackings.

Governments and industry standards bodies need to include configuration vulnerabilities in security frameworks.