DNS Predators Hijack Domains to Supply their Attack Infrastructure

Hijacking domains using a 'Sitting Ducks attack' remains an underreported topic in the cybersecurity community. Few threat researchers are familiar with this attack vector, and knowledge is scarce. However, the prevalence of these attacks and the risk to organizations are much broader than initially reported.

Following our initial publication on Sitting Ducks, Infoblox Threat Intel delved deeper into this topic. The result is a new, eye-opening report estimating that over 1 million registered domains could be vulnerable. The report also explores the widespread use of the attack and how multiple actors leverage it to strengthen their malicious campaigns.

More evidence found on Sitting Ducks Attacks

During a Sitting Ducks attack, the malicious actor gains full control of the domain by taking over its DNS configurations. Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names. Victim domains include well-known brands, non-profits and government entities. Infoblox Threat Intel crafted a monitoring initiative after the initial paper on Sitting Ducks attacks was published in July 2024. The results are very sobering, as 800,000 vulnerable domains were identified, and about 70,000 of those were identified as hijacked.

Easy to execute for actors. Hard to detect for security teams

Sitting Ducks attacks are easy to execute. The attack takes advantage of misconfigurations in the DNS settings for a domain, specifically when the domain server points to the wrong authoritative name server. The configuration vulnerability, known as 'lame delegation,' is not recognized as an official CVE or by major security authorities like CISA. This lack of attention allows actors to continue flying under the radar.

The harm doesn't end there. Once a victim domain is compromised, it allows the actors to set up attack infrastructure capable of evading existing detections. The positive reputation of the hijacked domains enables them to be seen by security controls as safe or benign, which then allows users to connect to the compromised and weaponized site. The low technical entry barrier to execute Sitting Ducks attacks and the additional stealth in subsequent intrusion steps may attract many more cybercriminal groups, resulting in more attack instances.

Mining and Recycling Exploitable Domains

A common occurrence seen by Infoblox threat researchers is rotational hijacking. This means that a domain is hijacked by multiple actors over time. Threat actors often hunt exploitable service providers that offer free accounts, like DNS Made Easy as lending libraries, typically "checking out" (hijacking) domains for 30 to 60 days. Researchers have also seen cases where actors hold the domain for an extended period. After the free account expires, the domain is then 'lost' by the first threat actor and either parked or claimed by another threat actor.

Vipers and Hawks Feasting on Sitting Ducks Attacks

Vacant Viper

Vacant Viper is one of the earliest known threat actors to exploit 'Sitting Ducks' and has hijacked an estimated 2,500 domains each year since December 2019. This actor uses hijacked domains to augment their malicious traffic distribution system (TDS) called 404TDS with the intention to run malicious spam operations, deliver porn, establish remote access trojan (RAT) C2s, and drop malware such as DarkGate and AsyncRAT. Vacant Viper does not hijack domains for a specific brand connection but instead for a set of domain resources that have high reputations and will not be blocked by security vendors. The newly published report lists examples of attack chains showing redirection techniques used both by the 404TDS and their affiliates, including how Vacant Viper uses hijacked domains in the 404TDS.

Vextrio Viper

This actor has used hijacked domains as part of their massive TDS infrastructure since early 2020. Vextrio runs the largest known cybercriminal affiliate program, routing compromised web traffic to over 65 affiliate partners, some of whom have also stolen domains via 'Sitting Ducks' for their own malicious activities. Many of these affiliates use a Russian antibot service as a method to filter out bots and security researchers. The functionality of AntiBot includes the ability to set rules to block certain bot services or users based on their IP geolocation, user-agent, etc.

New actors Horrid Hawk and Hasty Hawk.

The animal designation of Hawks was given because the threat actors swoop in and hijack vulnerable domains, much like hawks dive down to snatch their prey. Infoblox has named several new actors thriving on hijacked domains.

• Hasty Hawk: Another threat actor discovered during our research into 'Sitting Ducks' hijackings. Since at least March 2022, Hasty Hawk has hijacked over 200 domains to operate widespread phishing campaigns that primarily spoof DHL shipping pages and fake donation sites to support Ukraine. The actor exploits many providers, often reconfiguring hijacked domains to host content on Russian IPs. Hasty Hawk uses Google ads and other means, such as spam messages, to distribute malicious content. They also use a TDS to route users to different webpages that vary in content and language depending on their geolocation and other user characteristics. Hasty Hawk switches some of their domains back and forth between various campaign themes.

Havoc for individuals and businesses

Sitting Ducks attacks make many victims. Here is a brief overview of who may be impacted by these attacks:

• Organizations or Businesses: The first victim group is the organizations or businesses that own the vulnerable domains. The hijacking impacts their brand and reputation once the compromised site hits the news. Recovering from these attacks can take a lot of time and expertise, often not readily available within the organization.
• Individuals: The second victim group is the individuals who step into the malicious content or infrastructure behind the trusted domains. One single unconscious action can result in malware downloads, credential theft or fraud, resulting in costly damages to the individual or organization to whom they belong.
• Security Teams: The last victim group is the thousands of security teams defending their organizations against the latest threats. Cybercriminals like Hawks or Vipers use thousands of trusted domains in their TDSs and attack infrastructure, reducing the efficacy of their security operations drastically. When combined with additional social engineering, Hawks or Vipers can mislead targeted users within an organization, install remote access tools, and bypass existing controls. The time and cost to recover from these incidents can reach into the millions.

How to defend against Hawks?

While Sitting Ducks attacks are relatively easy to perform and difficult to detect, they are also entirely preventable with correct configurations at the domain registrar and DNS providers. DNS misconfigurations are an oversight arising from many factors. Multiple parties can play a role fixing them: the domain holder owns their domain configurations, and both registrars and DNS providers can make these types of hijacks harder to perform or easier to remediate.

Read More in Our New Research Report

Infoblox Threat Intel experts created an extensive report intended for threat researchers and advanced security professionals. The report explains the details behind how Sitting Ducks attacks work and how to identify a compromised domain. We also explored in depth how Vipers and Hawks execute Sitting Ducks attacks to create an infrastructure resistant to security vendor detection. For detection and threat-hunting teams, we list multiple victim domains and indicators of activity. Lastly, we explain with comprehensive illustrations how to assess your risks for a Sitting Ducks attack.

Protect your business against the latest DNS threats. Download this latest Infoblox Threat Intel research report now.

Public link

Please use the above public link if you want to share this noodl on another website.