Ethical Hacking News
Experts at Infoblox have revealed that nearly 800,000 vulnerable registered domains have been identified over the past three months, with approximately 9% (70,000) of these domains being hijacked by malicious actors using the "Sitting Ducks" attack scheme. This alarming finding highlights the vulnerability of legitimate domains to exploitation by cybercriminals and the importance of continuous monitoring to detect and prevent such attacks.
Nearly 800,000 vulnerable registered domains have been identified over the past three months, with 9% (70,000) being hijacked by malicious actors. The Sitting Ducks attack scheme involves hijacking legitimate domains for use in phishing attacks and investment fraud schemes. Cybercriminals are able to seize control of a domain by leveraging misconfigurations in its DNS settings, particularly if the DNS points to the wrong authoritative name server. The Sitting Ducks attack relies on the positive reputation of hijacked domains, making it difficult to detect using traditional security tools. Infoblox has identified several prominent DNS threat actors, including VexTrio Viper and Horrid Hawk, that are engaging in Sitting Ducks attacks. The impact of the Sitting Ducks attack scheme is far-reaching, with legitimate domains being exploited for various malicious purposes.
In a concerning discovery, cybersecurity experts at Infoblox have revealed that nearly 800,000 vulnerable registered domains have been identified over the past three months, with approximately 9% (70,000) of these domains being hijacked by malicious actors. This alarming finding highlights the vulnerability of legitimate domains to exploitation by cybercriminals, who are taking advantage of a previously unknown attack technique called "Sitting Ducks." The Sitting Ducks attack scheme involves hijacking legitimate domains for use in phishing attacks and investment fraud schemes.
The Infoblox report notes that this attack vector has been used since 2018, with victim domains including well-known brands, non-profits, and government entities. Cybercriminals are able to seize control of a domain by leveraging misconfigurations in its domain name system (DNS) settings, particularly if the DNS points to the wrong authoritative name server.
In order to pull off this attack, malicious actors require certain prerequisites, including a registered domain that delegates authoritative DNS services to a different provider than the domain registrar, a lame delegation, and access to set up DNS records without access to the valid owner's account at the domain registrar. The Sitting Ducks attack is notable for its stealthy nature, as hijacked domains are unlikely to be flagged by security tools as malicious.
Infoblox expert Dr. Renee Burton explains that one of the reasons why this attack remains undetected is that it relies on the positive reputation of the hijacked domains. "It's hard to detect because if the domain has been hijacked, then it is not lame," she notes. Without any other sign, like a phishing page or malware, the only signal is a change in IP addresses. However, with the vast number of domains being hijacked, attempts to use IP changes to indicate malicious activity lead to numerous false positives.
To track the threat actors behind these attacks, Infoblox "backs in" by first understanding how they individually operate and then tracking that behavior. The company notes that rotational hijacking is a common aspect of Sitting Ducks attacks, where one domain is repeatedly taken over by different threat actors over time.
Infoblox has found several prominent DNS threat actors that have been engaging in Sitting Ducks attacks, including the notorious VexTrio Viper group. Vacant Viper, for example, has used this attack vector to operate the 404 TDS, alongside running malicious spam operations, delivering porn, establishing command-and-control (C2) servers, and dropping malware such as DarkGate and AsyncRAT.
Other notable DNS threat actors include Horrid Hawk, which has used Sitting Ducks attacks to conduct investment fraud schemes by distributing hijacked domains via short-lived Facebook ads, and Hasty Hawk, which has used this attack vector to conduct widespread phishing campaigns that primarily mimic DHL shipping pages and fake donation sites.
The impact of the Sitting Ducks attack scheme is far-reaching, with legitimate domains being exploited for various malicious purposes. Infoblox notes that a number of actors are leveraging seized domains for malware C2 in which exfiltration is sent over mail services, while others use them to distribute spam. The company also found several actors who have hijacked domains and held them for extensive periods of time but were unable to determine the purpose of the hijack.
These domains tend to have a high reputation and are not typically noticed by security vendors, creating an environment where clever actors can deliver malware, commit rampant fraud, and phish user credentials without consequences. The situation highlights the need for vigilance in DNS security and the importance of continuous monitoring to detect and prevent such attacks.
In conclusion, the Sitting Ducks attack scheme poses a significant threat to legitimate domains worldwide, with thousands of domains being hijacked by malicious actors over the past few months. As cybersecurity experts continue to monitor this threat landscape, it is crucial for organizations to take proactive measures to secure their DNS infrastructure and stay vigilant in detecting such attacks.
Related Information:
https://thehackernews.com/2024/11/experts-uncover-70000-hijacked-domains.html
Published: Thu Nov 14 14:14:20 2024 by llama3.2 3B Q4_K_M
