Sitting Ducks DNS Attacks Put Global Domains at Risk
Summary:
Over 1 million domains have been identified as potentially vulnerable to "Sitting Ducks" attacks, a cyber threat that exploits DNS misconfigurations, particularly lame delegation. This misconfiguration occurs when domains mistakenly point to incorrect authoritative name servers, allowing attackers to hijack domains. Active since 2018, Sitting Ducks attacks enable cybercriminals to exploit compromised domains for activities such as malware distribution, phishing campaigns, and scams, posing significant risks to organizations, individuals, and the broader internet infrastructure.
The Domain Name System is a critical component of the internet, translating human-readable domain names into machine-readable IP addresses. While DNS ensures seamless connectivity and scalability, its complexity and reliance on proper configuration make it a frequent target for cyber threats. Sitting Ducks attacks exploit these weaknesses by manipulating DNS settings to redirect traffic or host malicious content. According to Infoblox Threat Intel, over 800,000 domains remain vulnerable, with 70,000 already hijacked. These attacks are relatively simple for attackers to execute but difficult for security systems to detect due to their stealthy nature and the appearance of legitimacy in hijacked domains.
Security Officer Comments:
Threat actors have used Sitting Ducks techniques to establish traffic distribution systems that funnel victims to phishing, malware, and scam sites. Groups such as Vacant Viper and Vextrio Viper have hijacked thousands of domains annually to support their TDS infrastructure, which facilitates spam operations, malware distribution, and affiliate scams. Newer actors like Horrid Hawk and Hasty Hawk have used hijacked domains for fraudulent campaigns, including fake government investment schemes and phishing attacks spoofing trusted brands like DHL. These campaigns often leverage hijacked domains’ perceived reputability to evade detection and maximize their impact. The impact of these attacks is widespread. Organizations face reputational damage when their domains are hijacked, individuals are exposed to risks like credential theft and malware, and security teams struggle to counter increasingly stealthy threats.
Suggested Corrections:
While Sitting Ducks attacks are relatively easy to perform and difficult to detect, they are also entirely preventable with correct configurations at the domain registrar and DNS providers. DNS misconfigurations are an oversight arising from many factors. Multiple parties can play a role fixing them: the domain holder owns their domain configurations, and both registrars and DNS providers can make these types of hijacks harder to perform or easier to remediate.
Link(s):
https://www.infosecurity-magazine.com/news/sitting-ducks-dns-attacks-global/
Over 1 million domains have been identified as potentially vulnerable to "Sitting Ducks" attacks, a cyber threat that exploits DNS misconfigurations, particularly lame delegation. This misconfiguration occurs when domains mistakenly point to incorrect authoritative name servers, allowing attackers to hijack domains. Active since 2018, Sitting Ducks attacks enable cybercriminals to exploit compromised domains for activities such as malware distribution, phishing campaigns, and scams, posing significant risks to organizations, individuals, and the broader internet infrastructure.
The Domain Name System is a critical component of the internet, translating human-readable domain names into machine-readable IP addresses. While DNS ensures seamless connectivity and scalability, its complexity and reliance on proper configuration make it a frequent target for cyber threats. Sitting Ducks attacks exploit these weaknesses by manipulating DNS settings to redirect traffic or host malicious content. According to Infoblox Threat Intel, over 800,000 domains remain vulnerable, with 70,000 already hijacked. These attacks are relatively simple for attackers to execute but difficult for security systems to detect due to their stealthy nature and the appearance of legitimacy in hijacked domains.
Security Officer Comments:
Threat actors have used Sitting Ducks techniques to establish traffic distribution systems that funnel victims to phishing, malware, and scam sites. Groups such as Vacant Viper and Vextrio Viper have hijacked thousands of domains annually to support their TDS infrastructure, which facilitates spam operations, malware distribution, and affiliate scams. Newer actors like Horrid Hawk and Hasty Hawk have used hijacked domains for fraudulent campaigns, including fake government investment schemes and phishing attacks spoofing trusted brands like DHL. These campaigns often leverage hijacked domains’ perceived reputability to evade detection and maximize their impact. The impact of these attacks is widespread. Organizations face reputational damage when their domains are hijacked, individuals are exposed to risks like credential theft and malware, and security teams struggle to counter increasingly stealthy threats.
Suggested Corrections:
While Sitting Ducks attacks are relatively easy to perform and difficult to detect, they are also entirely preventable with correct configurations at the domain registrar and DNS providers. DNS misconfigurations are an oversight arising from many factors. Multiple parties can play a role fixing them: the domain holder owns their domain configurations, and both registrars and DNS providers can make these types of hijacks harder to perform or easier to remediate.
Link(s):
https://www.infosecurity-magazine.com/news/sitting-ducks-dns-attacks-global/