By 
A wave of sophisticated attackers is turning misconfigured domains into weapons, and the numbers are alarming. No less than 800,000 domains sit vulnerable to what researchers call “Sitting Ducks” attacks, with 70,000 of them already compromised. This new attack vector was reported in the middle of November by InfoBlox, but why aren’t we hearing more about this recently?
What can be a cause of this attack?
Unfortunately, as with most complex problems, they have many variables that contribute to this.
DNS as infrastructure, as we may already know, serves as the internet’s primary navigation system. DNS translates the human-readable domain name (e.g.: techsplicer.com) into IP address hierarchical chain of nameservers. When building a web application, we can protect several layers: input validation, authentication, secure session, encrypted communication, and so on. However, there are many links in the chain, some presented in the DevSecOps guide, that can contain vulnerabilities: server ecosystem, deploying pipelines, operating systems. On top of that, we can add to the list the client that accesses the application with a hijacked device. The DNS infrastructure itself can be compromised, directly impacting the web application’s security.
DNS Predatory Attack Flow
DNS Vulnerabilities
Trust Chain Exploitation
As we discussed earlier, when a user types your domain, their browser initiates a DNS lookup that involves multiple nameservers. This chain relies on each step to trust the one before it. By modifying DNS records and compromising your DNS settings, attackers can redirect traffic without needing to penetrate your application.
Security Control Bypass
Security tools depend heavily on domain reputation scoring. A domain that has been active for years and serves legitimate business traffic builds up a good reputation. However, when attackers take over these domains, they also gain this trust.
In such cases, your application’s CSP headers, CORS policies, and TLS certificates become meaningless because the attacker has control over where your domain nameservers are pointing to.
Persistence Mechanism
DNS changes frequently go unnoticed. Many organizations lack continuous DNS monitoring, focusing instead on application-level security metrics. This gives attackers a stable, long-term foothold. Suddenly that 1 million vulnerable domain is not implausible. What’s new here and impactful is the scale of exploiting a vulnerability in the wild.
What makes a domain a “Sitting Duck”?
The vulnerability that lies in the DNS misconfiguration is called “lame delegation.” It happens when domains point to the wrong name servers. Some might think it’s a minor mistake, but it’s like leaving your keys under the doormat with a “gone phishing fishing” sign. (pun intended)
proper vs lame delegation
This attack takes advantage of a basic flaw in the way some domains are set up. When a domain’s DNS settings point to non-existent or incorrect name servers, attackers can register these nameservers themselves, effectively hijacking the domain’s entire DNS infrastructure.
This misconfiguration often occurs during provider transitions or when organizations decommission old services without proper DNS cleanup.
Main Threat Actors: Vipers and Hawks
Examining the evolving DNS infrastructure attack landscape reveals two distinct categories of advanced attackers, each deserving their own article.
Vacant Viper, a group operating since 2019, pioneered DNS hijacking at scale through their 404TDS (Traffic Distribution System). With approximately 2,500 domain hijacks annually, they’ve perfected a technique targeting DNS providers offering free trials, particularly DNS Made Easy. Their infrastructure serves a dual purpose: operating spam campaigns and establishing command and control servers for RATs like DarkGate and AsyncRAT. Through an affiliate program, Vextrio Viper expanded its operations into a criminal enterprise, encompassing 65 partners who leveraged sophisticated anti-bot services to evade detection.
Hawks, named for their rapid domain seizures, became a new and distinct type of threat actor. With its operations beginning in early 2023, the Horrid Hawk group has infiltrated nearly 5,000 websites, displaying expertise in linking hijacked domains to perpetrate investment scams.
In the meantime, Hasty Hawk has been taking control of more than 200 domains since March 2022. They exhibit a distinct pattern in generating subdomains, mainly targeting DHL-related phishing campaigns, and prefer Russian ASNs such as PROTON66 and BEGET to host their malicious infrastructure.
[source]
Defensive Strategies
Organizations need to implement continuous DNS configuration monitoring, establish strict domain management policies, and deploy active detection mechanisms for unauthorized DNS changes.
The key point here is: DNS infrastructure needs a similar level of scrutiny that we apply to application code: regular audits, change management procedures, and automated monitoring to name a few.
Photo by Boitumelo on Unsplash.