Key Findings:
– Infoblox discovered approximately 800,000 vulnerable domains in a three-month period, with 70,000 (9%) being successfully hijacked
– This attack vector has been active since 2018, affecting major brands, non-profits, and government entities
How It Works:
The Sitting Ducks attack exploits DNS misconfigurations when:
1. A domain uses different providers for DNS services and domain registration
2. The DNS delegation is incorrectly configured
3. Attackers can claim the domain at the DNS provider without proper authentication
Major Threat Actors and Their Activities:
– Vacant Viper: Operates 404 TDS, spreads malware (DarkGate, AsyncRAT)
– Horrid Hawk: Conducts investment fraud via Facebook ads
– Hasty Hawk: Runs phishing campaigns mimicking DHL and Ukraine donation sites
– VexTrio Viper: Operates TDS and various scam campaigns
Impact and Challenges:
– Difficult to detect due to legitimate domain reputation
– Enables various malicious activities including malware distribution, phishing, and fraud
– Some domains face “rotational hijacking,” being repeatedly taken over by different attackers
– Hijacked domains can be held anywhere from 30-60 days to extended periods
Prevention requires regular monitoring of DNS configurations and maintaining proper security protocols between domain registrars and DNS providers.