Increase in Cyberattacks Using "Sitting Ducks" Technique
/ 4 min read
Quick take - A recent report by Infoblox highlights the rise of a cyberattack technique called “Sitting Ducks,” which has led to the hijacking of approximately 70,000 legitimate domains for phishing and investment fraud, affecting various organizations and complicating detection efforts due to the hijacked domains’ established reputations.
Fast Facts
- The “Sitting Ducks” cyberattack technique has emerged, allowing threat actors to hijack legitimate domains for phishing and investment fraud, with nearly 800,000 vulnerable domains identified recently.
- Approximately 70,000 of these domains have been hijacked, affecting various entities, including well-known brands and government organizations.
- The attack exploits misconfigurations in domain name system (DNS) settings, making it stealthy and difficult to detect, as changes in IP addresses may not indicate malicious activity.
- Notable threat actors involved include Vacant Viper, Horrid Hawk, and Hasty Hawk, who engage in spam, investment fraud, and phishing campaigns.
- Despite increased awareness, the number of hijackings continues to rise, posing significant risks such as malware distribution and credential theft.
Rising Threat of “Sitting Ducks” Cyberattacks
Overview of the Attack Technique
In recent months, a sophisticated cyberattack technique known as “Sitting Ducks” has gained traction among multiple threat actors. These actors are seeking to hijack legitimate domains for phishing and investment fraud. Infoblox, a cybersecurity firm, reported that nearly 800,000 vulnerable registered domains were identified in the past three months, with approximately 9% of these domains, around 70,000, having been hijacked.
The “Sitting Ducks” technique was first documented by security researcher Matthew Bryant in 2016 and has been exploited since 2018, leading to the hijacking of tens of thousands of domain names. Victims include well-known brands, non-profits, and government entities. The attack enables malicious actors to seize control of a domain by leveraging misconfigurations in its domain name system (DNS) settings.
Execution and Challenges
Specific prerequisites for executing this attack involve delegating authoritative DNS services to a provider that differs from the domain registrar. The attacker must also have the ability to claim the domain at the DNS provider. The attack is characterized by its stealth and ease of execution, often taking advantage of the positive reputations of the hijacked domains, making them less likely to be flagged by security tools.
Notable examples of hijacked domains include those belonging to an entertainment company and an IPTV service provider, as well as a law firm, a cosmetic supplier, a Thai online apparel store, and a tire sales firm. Detecting these hijacked domains is challenging because changes in IP addresses may not necessarily indicate malicious activity.
Threat Actors and Implications
Dr. Renee Burton from Infoblox acknowledged an increase in awareness surrounding the issue; however, the number of hijackings has not seen a corresponding decrease. The attack vector also includes a method known as rotational hijacking, where control of a domain shifts among different threat actors over time. Many threat actors utilize free account services, such as DNS Made Easy, to temporarily hijack domains, typically lasting between 30 to 60 days before being parked or taken over by another actor.
Several notable threat actors have been identified in connection with “Sitting Ducks” attacks. Vacant Viper has been engaged in malicious spam operations and malware distribution since December 2019. Horrid Hawk is known for conducting investment fraud schemes through short-lived Facebook ads since at least February 2023. Hasty Hawk has been involved in phishing campaigns imitating DHL and fake donation sites since March 2022, while VexTrio Viper has operated a traffic distribution system (TDS) since early 2020. Affiliates like GoRefresh participate in campaigns involving fake online pharmaceuticals and scams.
These hijacked domains pose significant risks to both businesses and individuals, facilitating malware distribution, credential theft, and various forms of fraud. Infoblox has identified actors who maintain hijacked domains for extended periods, with the specific intentions behind these hijacks remaining largely unclear. The high reputation of these domains often allows for the delivery of malware and fraudulent activities to go undetected by security vendors, leading to potentially severe consequences for affected parties.
Original Source: Read the Full Article Here
