The Alarming Rise of Sitting Ducks Cyber Attacks: Millions of Domains at Risk
A chilling new report from Infoblox Threat Intel has exposed the alarming vulnerability of over 800,000 registered domains to a sophisticated cyberattack known as the “Sitting Ducks” attack. This DNS hijacking technique allows malicious actors to seize complete control of a domain by compromising its DNS configurations. The report estimates that potentially over 1 million domains could be vulnerable daily, highlighting a significant and under-recognized threat within the cybersecurity landscape.
The Sitting Ducks attack vector, while not entirely new, has gained considerable traction in recent years. Cybercriminals have been exploiting this vulnerability since at least 2018, hijacking tens of thousands of domains belonging to a diverse range of victims, including well-known brands, non-profit organizations, and even government entities. The scale of the problem is staggering, with Infoblox identifying 800,000 vulnerable domains and approximately 70,000 confirmed hijackings.
Understanding the Sitting Ducks Attack Mechanism
The Sitting Ducks attack hinges on the compromise of a domain’s DNS records. By gaining control of these records, attackers can redirect traffic intended for the legitimate website to their own malicious servers. This allows them to conduct a variety of nefarious activities, including:
- Malware distribution: Delivering malware such as DarkGate and AsyncRAT.
- Spam campaigns: Launching large-scale spam operations.
- Phishing attacks: Creating convincing phishing pages to steal sensitive information.
- Investment fraud: Setting up fraudulent investment schemes.
- Remote access Trojan (RAT) control: Establishing command-and-control (C2) servers for RATs.
- Pornography distribution: Hosting and distributing illegal pornography.
Key Threat Actors Exploiting Sitting Ducks Vulnerabilities
The Infoblox report highlights several prominent threat actors actively leveraging the Sitting Ducks attack vector:
- Vacant Viper: This group has been hijacking an estimated 2,500 domains annually since December 2019, using them to enhance its malicious traffic distribution system (TDS) known as 404TDS. Vacant Viper prioritizes domains with high reputations to avoid detection by security vendors.
- Vextrio Viper: Operating the largest known cybercriminal affiliate program, Vextrio has integrated hijacked domains into its massive TDS infrastructure since early 2020. This network routes compromised web traffic to over 65 affiliate partners, many of whom also participate in domain hijacking through Sitting Ducks attacks. They often utilize Russian anti-bot services to filter out security researchers and automated detection systems.
- Horrid Hawk: Active since at least February 2023, Horrid Hawk uses hijacked domains for investment fraud schemes. Their campaigns are particularly sophisticated, employing convincing lures and short-lived Facebook ads in over 30 languages across multiple continents.
- Hasty Hawk: Since March 2022, Hasty Hawk has hijacked over 200 domains to execute widespread phishing campaigns. These campaigns frequently spoof DHL shipping pages and fake donation sites supporting Ukraine. Hasty Hawk leverages various platforms, including Google Ads and spam messages, to distribute malicious content.
The Urgent Need for Proactive Defense Mechanisms
Mohammed Al-Moneer, Senior Regional Director, META at Infoblox, aptly summarizes the situation: “The ‘Sitting Ducks’ attack vector is still an underrecognized threat. As the latest research from Infoblox Threat Intel shows, cybercriminals are leveraging hijacked domains in ways that significantly amplify their malicious campaigns. The alarming scale of these attacks with over 800,000 vulnerable domains identified and tens of thousands hijacked underscores the critical need for heightened awareness and proactive defense mechanisms.”
The sheer scale of the Sitting Ducks vulnerability underscores the critical need for organizations to prioritize DNS security. Proactive measures, including robust DNS security solutions and regular security audits, are essential to mitigate the risk of becoming a victim of this devastating attack. The full Infoblox report provides further insights and recommendations for bolstering defenses against Sitting Ducks and other DNS-based attacks. The report can be found here.
