{"id":10779,"date":"2024-11-14T08:55:53","date_gmt":"2024-11-14T16:55:53","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=10779"},"modified":"2024-11-14T10:00:22","modified_gmt":"2024-11-14T18:00:22","slug":"dns-predators-hijack-domains-to-supply-their-attack-infrastructure","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/dns-predators-hijack-domains-to-supply-their-attack-infrastructure\/","title":{"rendered":"DNS Predators Hijack Domains to Supply their Attack Infrastructure"},"content":{"rendered":"

Hijacking domains using a \u2018Sitting Ducks attack\u2019 remains an underreported topic in the cybersecurity community. Few threat researchers are familiar with this attack vector, and knowledge is scarce. However, the prevalence of these attacks and the risk to organizations are much broader than initially reported. <\/p>\n

Following our initial publication on Sitting Ducks, Infoblox Threat Intel delved deeper into this topic. The result is a new, eye-opening report estimating that over 1 million registered domains could be vulnerable. The report also explores the widespread use of the attack and how multiple actors leverage it to strengthen their malicious campaigns. <\/p>\n

More evidence found on Sitting Ducks Attacks<\/h3>\n

During a Sitting Ducks attack, the malicious actor gains full control of the domain by taking over its DNS configurations. Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names. Victim domains include well-known brands, non-profits and government entities. Infoblox Threat Intel crafted a monitoring initiative after the initial paper on Sitting Ducks attacks was published in July 2024. The results are very sobering, as 800,000 vulnerable domains were identified, and about 70,000 of those were identified as hijacked. <\/p>\n

Easy to execute for actors. Hard to detect for security teams<\/h3>\n

Sitting Ducks attacks are easy to execute. The attack takes advantage of misconfigurations in the DNS settings for a domain, specifically when the domain server points to the wrong authoritative name server. The configuration vulnerability, known as \u2018lame delegation,\u2019 is not recognized as an official CVE or by major security authorities like CISA. This lack of attention allows actors to continue flying under the radar. <\/p>\n

The harm doesn\u2019t end there. Once a victim domain is compromised, it allows the actors to set up attack infrastructure capable of evading existing detections. The positive reputation of the hijacked domains enables them to be seen by security controls as safe or benign, which then allows users to connect to the compromised and weaponized site. The low technical entry barrier to execute Sitting Ducks attacks and the additional stealth in subsequent intrusion steps may attract many more cybercriminal groups, resulting in more attack instances. <\/p>\n

Mining and Recycling Exploitable Domains<\/h3>\n

A common occurrence seen by Infoblox threat researchers is rotational hijacking. This means that a domain is hijacked by multiple actors over time. Threat actors often hunt exploitable service providers that offer free accounts, like DNS Made Easy as lending libraries, typically \u201cchecking out\u201d (hijacking) domains for 30 to 60 days. Researchers have also seen cases where actors hold the domain for an extended period. After the free account expires, the domain is then \u2018lost\u2019 by the first threat actor and either parked or claimed by another threat actor. <\/p>\n

Vipers and Hawks Feasting on Sitting Ducks Attacks<\/h3>\n

\"Vipers<\/p>\n

Vacant Viper<\/strong><\/p>\n

Vacant Viper is one of the earliest known threat actors to exploit \u2018Sitting Ducks\u2019 and has hijacked an estimated 2,500 domains each year since December 2019. This actor uses hijacked domains to augment their malicious traffic distribution system (TDS) called 404TDS with the intention to run malicious spam operations, deliver porn, establish remote access trojan (RAT) C2s, and drop malware such as DarkGate and AsyncRAT. Vacant Viper does not hijack domains for a specific brand connection but instead for a set of domain resources that have high reputations and will not be blocked by security vendors. The newly published report lists examples of attack chains showing redirection techniques used both by the 404TDS and their affiliates, including how Vacant Viper uses hijacked domains in the 404TDS.
\n<\/span><\/p>\n

Vextrio Viper<\/strong><\/p>\n

This actor has used hijacked domains as part of their massive TDS infrastructure since early 2020. Vextrio runs the largest known cybercriminal affiliate program, routing compromised web traffic to over 65 affiliate partners, some of whom have also stolen domains via \u2018Sitting Ducks\u2019 for their own malicious activities. Many of these affiliates use a Russian antibot service as a method to filter out bots and security researchers. The functionality of AntiBot includes the ability to set rules to block certain bot services or users based on their IP geolocation, user-agent, etc.<\/p>\n

New actors Horrid Hawk and Hasty Hawk.<\/h3>\n
\n

\"New<\/p>\n

The animal designation of Hawks was given because the threat actors swoop in and hijack vulnerable domains, much like hawks dive down to snatch their prey. Infoblox has named several new actors thriving on hijacked domains.\n<\/p><\/div>\n