How AI Tools in Project Management Reduce Cyber Risks & Boost Collaboration
November 14, 2024
4 Million WordPress sites Are at Risk Due to a Flaw
November 16, 2024
One of the most concerning tactics being employed by cybercriminals is the hijacking of legitimate domains through a technique known as the “Sitting Ducks” attack. Recent findings by Infoblox reveal that around 70,000 domains have tragically fallen victim to this scheme, highlighting a significant risk for businesses and individuals alike.
What is the Sitting Ducks Attack?
The Sitting Ducks attack exploits vulnerabilities in the DNS of registered domains. This method allows malicious actors to seize control of a domain by taking advantage of misconfigurations, particularly when the DNS points to an incorrect authoritative name server. Since its initial documentation in 2016 by security researcher Matthew Bryant, this attack vector has been widely used, with its scale becoming more apparent only recently.
How Does It Work?
For a Sitting Ducks attack to be successful, several conditions must align. First, a registered domain must delegate its DNS services to a different provider than its registrar. Second, the delegation must be “lame,” meaning it does not properly point to the authoritative DNS server. This misconfiguration creates an opportunity for attackers to exploit the weakness. Finally, once the delegation is in place, the attacker can take control of the domain at the DNS provider and manipulate DNS records without ever needing access to the domain owner’s registrar account.
This method is not only simple to execute but also stealthy. Many of the hijacked domains have a positive reputation, making them less likely to be flagged by security tools. As a result, victims of these attacks often include well-known brands, non-profits, and government entities.
Detection Challenges
Detecting a hijacked domain can be a complex and challenging task. In many cases, the only indication of a problem might be an unexpected change in IP addresses. However, given the vast number of domains in use today, relying solely on IP address changes can lead to numerous false positives, complicating detection efforts. This makes identifying hijacked domains even more difficult, especially when attackers are careful to avoid leaving traces that would alert security teams.
Rotational Hijacking
A particularly concerning tactic among cybercriminals is “rotational hijacking.” In this method, a single domain may be taken over multiple times by different attackers over a span of months or even years. Often, these criminals will exploit free DNS services, hijacking domains for short periods—typically between 30 to 60 days—before moving on to new targets. This tactic increases the complexity of identifying hijacked domains, as attackers frequently change their methods and the duration of their control.
Notable Threat Actors
Several threat actors have been identified as using the Sitting Ducks technique to exploit vulnerable domains for various malicious purposes. For example, Vacant Viper has been involved in malicious spam operations and the distribution of malware, such as DarkGate and AsyncRAT, since late 2019. Another group, Horrid Hawk, has conducted investment fraud schemes by running short-lived advertisements on social media since early 2023. Similarly, Hasty Hawk has run phishing campaigns that impersonate reputable services like DHL or fake donation sites. Finally, VexTrio Viper has been involved in several malicious activities, including fake online pharmaceutical campaigns, since early 2020. These threat actors leverage hijacked domains to distribute malware, steal data, and commit fraud, putting both individuals and businesses at considerable risk.
Protecting Against Hijacked Domains
Given the rising threat of domain hijacking, it is crucial for domain owners to adopt proactive security measures. One of the first steps is to regularly review DNS settings to ensure that the DNS configurations are correct and point to the appropriate authoritative name servers. Domain owners should also choose reputable DNS providers that offer robust security measures to minimize the risk of exploitation. Monitoring domain activity is also essential—keeping an eye on any unauthorized changes or unusual patterns of behavior can help detect potential hijacking attempts before they cause significant harm.
Conclusion
The Sitting Ducks attack represents a significant and growing threat in the world of cybersecurity, with thousands of domains being hijacked for malicious purposes. By understanding this attack vector and implementing preventative measures, businesses and individuals can better protect themselves against potential risks. Awareness, vigilance, and proactive security practices are key to navigating the ever-changing landscape of online security.
