Sitting Ducks DNS Attacks Put Global Domains at Risk

Over 1 million domains have been found potentially vulnerable to a “Sitting Ducks” attack, a cyber-threat that exploits DNS misconfigurations to hijack domains.

The report, published by Infoblox Threat Intel, suggests that this type of attack, active since 2018, allows threat actors to leverage hijacked domains for malicious activities ranging from malware distribution to phishing.

How Sitting Ducks Attacks Exploit DNS Weaknesses

During a Sitting Ducks attack, cybercriminals manipulate the DNS settings of a domain, typically exploiting an oversight called “lame delegation,” where domains mistakenly point to incorrect authoritative name servers.

Infoblox’s findings indicate that 800,000 domains remain vulnerable, with 70,000 of these already hijacked.

The report underscores that these attacks are relatively simple to execute but challenging for security teams to detect, as the hijacked domains appear reputable to many security systems.

Key Threat Groups

Among the cybercriminals exploiting this technique, groups labeled “Vipers” and “Hawks” stand out.

Vacant Viper, active since 2019, hijacks around 2500 domains each year to support their traffic distribution system (TDS) called 404TDS. This infrastructure is used to run spam operations, distribute malware and establish remote access Trojans. Similarly, Vextrio Viper has operated a TDS network since 2020, linking compromised domains to an affiliate network of over 65 partners, who redirect users to phishing, malware and scam sites.

Infoblox identified additional actors, Horrid Hawk and Hasty Hawk, who use hijacked domains for fraudulent campaigns.

Horrid Hawk, active since February 2023, uses hijacked domains to promote fake government investment schemes across social media platforms worldwide. Hasty Hawk, responsible for hijacking over 200 domains since 2022, uses their domains to conduct phishing campaigns, often spoofing well-known brands like DHL.

Read more on DNS security threat: New DNS-Based Backdoor Threat Discovered at Taiwanese University

Impact and Prevention of Sitting Duck Attacks

Infoblox explained that the impact of Sitting Ducks attacks affects various groups: Organizations with hijacked domains suffer reputational damage; individuals face risks of malware or credential theft; and security teams struggle to maintain effective defenses against increasingly stealthy threats.

While these attacks are difficult to detect, they can be prevented with proper DNS configuration and oversight.

Infoblox urged domain owners, DNS providers and registrars to regularly review configurations to mitigate these risks. The report also emphasized that increased awareness and cooperation across the cybersecurity community are essential for addressing and reducing the threat posed by Sitting Ducks attacks.