November 14, 2024 at 01:21PM
Cybercriminals have exploited a technique called Sitting Ducks to hijack legitimate domains, predominantly for phishing and fraud, affecting nearly 800,000 domains in three months. Infoblox reports that 70,000 domains were hijacked, often using reputable brands, making detection difficult. This ongoing issue poses significant risks for businesses and individuals.
### Meeting Takeaways on the Sitting Ducks Attack Technique:
1. **Overview of the Threat**:
– Multiple threat actors exploit the “Sitting Ducks” attack technique to hijack legitimate domains for phishing and investment fraud, a practice ongoing for several years.
2. **Scope of the Issue**:
– Infoblox reported identifying nearly 800,000 vulnerable domains in the last three months, with approximately 9% (70,000) already hijacked.
3. **Historical Context**:
– The Sitting Ducks attack vector has been known since 2016 but gained attention only after significant hijacking incidents were reported in August 2023.
4. **Mechanism of Attack**:
– Attackers exploit misconfigurations in DNS settings, targeting domains that delegate authoritative DNS to different providers. Requirements include:
– Lame delegation
– Ability to claim the domain at the DNS provider without access to the registrar account.
5. **Challenges in Detection**:
– Hard to identify due to legitimate domain reputation; issues only manifest through IP address changes, leading to potential false positives if monitored as malicious activity.
6. **Rotational Hijacking**:
– Threat actors often re-hijack domains over time and use services that allow for temporary accounts to execute their operations, generally targeting them for 30 to 60 days.
7. **Known Threat Actors**:
– **Vacant Viper**: Engaged in spam operations and malware delivery.
– **Horrid Hawk**: Conducted investment fraud using hijacked domains in Facebook ads.
– **Hasty Hawk**: Executed phishing campaigns mimicking notable brands.
– **VexTrio Viper**: Operated a traffic distribution system (TDS).
8. **Criminal Activities**:
– Various actors use hijacked domains for distributing malware, spam, credential theft, and running fraudulent schemes across multiple sectors, from pharmaceuticals to online dating.
9. **Potential Risks**:
– Businesses and individuals face significant threats from these hijacked domains due to a lack of detection and monitoring by security vendors.
10. **Conclusion**:
– Continuous awareness and vigilance against the tactics employed in Sitting Ducks attacks are essential to mitigate risks associated with hijacked domains.
These takeaways highlight the critical aspects of the Sitting Ducks attack technique as discussed in the meeting.