Introduction
The “Sitting Ducks” attacks represent a significant cyber threat, exploiting vulnerabilities in DNS configurations to hijack domains. This threat has been active since 2016 and poses a substantial risk to over a million registered domains, with severe implications for both organizations and individuals.
Description
Over 1 million registered domains are potentially vulnerable to “Sitting Ducks” attacks [1], which exploit misconfigured DNS name servers and lame delegation to hijack domains. This cyber-threat [1], active since 2016 [1] [4], allows threat actors to gain full control of vulnerable domains without needing to steal credentials or access the domain owner’s registrar account [3]. Recent findings indicate that nearly 800,000 domains are at risk [2], with approximately 70,000 already compromised. The actual number of vulnerable domains is likely higher [3], as this figure does not account for subdomains.
These attacks are easy to execute due to a low technical barrier and are difficult for security teams to detect [4], as compromised domains often maintain a positive reputation [4], misleading security controls [4]. Threat actors utilize hijacked domains to create fraudulent investment sites and other attack infrastructures that evade detection, leading to increased instances of cybercrime [4]. Notable actors in this space include “Vacant Viper,” which has hijacked an estimated 2,500 domains annually since 2019 [4], and “Horrid Hawk,” which has used hijacked domains for investment fraud schemes since 2023 [4]. Additionally, “Hasty Hawk” has been active since 2022, hijacking over 200 domains for phishing campaigns targeting DHL and fake donation sites [4].
The impact of these attacks includes reputational damage for organizations [1], risks of malware downloads and fraud for individuals, and challenges for security teams in maintaining effective defenses against the misuse of trusted domains [1]. Organizations face significant recovery costs and reputational harm, while individuals risk falling victim to malware or credential theft.
Detection of Sitting Ducks attacks is notoriously difficult [1], but they can be prevented through proper DNS configuration and oversight at domain registrars and DNS providers [1]. Regular reviews of configurations by domain owners [1], DNS providers [1] [3] [4], and registrars are essential to mitigate these risks [1]. There is a pressing need for increased awareness and cooperation among DNS providers, registrars [1] [3] [4], and government agencies to effectively address and reduce the threat posed by Sitting Ducks attacks, as current efforts often prioritize software vulnerabilities over misconfigurations [3]. Despite the prevalence of these attacks [3], they remain underreported and inadequately addressed by affected organizations [3].
Conclusion
The “Sitting Ducks” attacks underscore the critical need for vigilance in DNS configuration and management. Organizations must prioritize regular audits and collaborate with DNS providers and government agencies to mitigate these risks. As cyber threats continue to evolve, addressing DNS misconfigurations is essential to safeguarding domain integrity and preventing the exploitation of trusted domains for malicious purposes. Enhanced awareness and proactive measures are vital to reducing the impact of these attacks and ensuring robust cybersecurity defenses.
References
[1] https://www.infosecurity-magazine.com/news/sitting-ducks-dns-attacks-global/
[2] https://cyber.vumetric.com/security-news/2024/11/14/experts-uncover-70000-hijacked-domains-in-widespread-sitting-ducks-attack-scheme/
[3] https://www.techtarget.com/searchSecurity/news/366615752/Infoblox-800000-domains-vulnerable-to-hijacking-attack
[4] https://blogs.infoblox.com/threat-intelligence/dns-predators-hijack-domains-to-supply-their-attack-infrastructure/