A recent report from cybersecurity firm Infoblox highlights a long-standing yet underappreciated threat: Sitting Ducks attacks. Over the past five years, tens of thousands of domains, including those belonging to well-known brands, non-profits, and government entities, have been hijacked due to vulnerabilities in DNS ownership verification. Alarmingly, this issue has been known for nearly a decade but remains under-addressed, creating a fertile ground for cybercriminal activity.
How Sitting Ducks Attacks Work
Sitting Ducks attacks exploit incorrect configurations at domain registrars and weaknesses in DNS provider protocols. These vulnerabilities enable attackers to perform techniques like name server delegation and lame delegation to hijack domains. The attacks are notoriously difficult to detect but easy to execute, making them a significant concern.
Scope of the Threat
Infoblox’s findings reveal that 70,000 domains have already been hijacked, and 800,000 domains are at risk due to exploitable configurations. These figures likely underestimate the full scale of the problem, as the monitoring system used was limited.
Key Cybercriminal Actors
Several cybercriminal groups have leveraged this attack vector. Vacant Viper, active since 2019, hijacks approximately 2,500 domains annually for malware delivery and command-and-control operations. Vextrio Viper uses hijacked domains to support large-scale cybercriminal affiliate programs. Other groups, such as Hasty Hawk and Horrid Hawk, have recently expanded the use of Sitting Ducks techniques. Many domains are targeted by multiple actors over time, compounding the risks for victims.
Impact on Businesses and Users
The consequences of these attacks are severe. Organizations risk reputational damage and financial losses, while users face malware infections, credential theft, and fraud. Compromised domains often serve as gateways for malicious operations, amplifying the potential harm.
Mitigation and Responsibility
Infoblox emphasizes the shared responsibility of stakeholders to curb Sitting Ducks attacks. DNS providers and registrars must prioritize detecting and addressing hijackings. Domain owners should regularly update and secure DNS records. Governments, standards bodies, and service providers need to enforce stricter protocols and respond swiftly to abuse reports.
Final Thoughts
Sitting Ducks attacks expose a critical vulnerability in domain security that demands urgent attention. Businesses, DNS providers, and domain registrars must act collaboratively to mitigate this threat and protect the digital ecosystem from escalating risks. By addressing this nearly decade-old issue, organizations can safeguard their operations and restore trust in the internet infrastructure.