Cisco Report: DNS Activity Shows Glut of Phishing, Trojans, More
In today’s threat landscape, the idea that no one is an island holds true for threats.
![Domain Name System Domain Name System](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt185f0d61b7601c93/652455f1ad069928cb115891/Domain-Name-System.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Nahorney said it’s not surprising that cryptomining generated the most DNS traffic out of any individual category.
“While cryptomining is often favored by bad actors for low-key revenue generation, it’s relatively noisy on the DNS side, as it regularly pings mining servers for more work,” he said. “Cryptomining was most active early in the year, before declining until summer. This, and the gradual recovery seen in the later part of the year, largely tracks with the value of popular cryptocurrencies. As currency values increased, so too did the rate of activity.”
Some of the activity could be blocks based on policy violations, where end users attempted to mine digital currencies using company resources. In those cases, administrators would have good reason for blocking such DNS activity.
The amount of phishing-related DNS activity was fairly stable throughout 2020, with the exception of December. That month saw a 52% increase around the holidays. Nearly 90% of organizations had at least one user attempt to connect to a phishing site, likely by clicking on a link in a phishing email.
“In terms of the number of endpoints visiting phishing sites, there were significant increases during August and September,” Nahorney said. “This is due to a very large phishing campaign, where we see a 102 percentage-point shift between July and September.”
Similar to cryptomining, trojans started the year strongly. The incredibly high number of endpoints connecting to trojan sites was largely due to Ursnif/Gozi and IcedID. Those are two threats known to work in tandem to deliver ransomware.
“These two threats alone comprised 82% of trojans seen on endpoints in January,” Nahorney said. “However, the above-average numbers from January were likely tied to a holiday-season campaign by attackers, and declined and stabilized as the year progressed. In late July, Emotet emerged from its slumber once again, comprising a massive amount of traffic that grew through September. This threat alone is responsible for the large increase in DNS activity from August through September. In all, 45% of organizations encountered Emotet.”
For most of the year, two key ransomware threats dominated. Beginning in April, the number of computers compromised by Sodinokibi increased significantly and continued to rise into autumn. The increase was significant enough that 46% of organizations encountered the threat. In September, overall queries from this particular ransomware family shot up to five times that of August. That likely indicated the ransomware payload was being executed across many of the impacted systems.
However, this is a drop in the bucket compared to the DNS activity of Ryuk, which is largely responsible for the November-December spike in activity. It was so high that it skewed overall activity for the rest of the year, resulting in below-average numbers when it wasn’t active. However, the number of endpoints connecting to Ryuk-associated domains remained relatively small and consistent throughout the year, only showing modest increases before query activity skyrocketed.
If you find evidence of Ryuk, but not Emotet, it might be worth looking for Trickbot as well, Nahorney said. Both Emotet and Trickbot have been seen deploying Ryuk in attacks, at times in coordination, and other times separately.
“Sure enough, Trickbot follows a similar pattern in terms of DNS activity, lower in the first half of the year, busy in August and September, then quiet in October,” he said. “However, Trickbot was active between November and December, when Emotet was not, likely contributing to the phenomenal increase in Ryuk activity during these two months.”
Cisco has seen a notable uptick in overall phishing activity, and the pandemic in part drove that spike, McBride said.
“The pandemic has us thirsty for information (e.g., free testing sites, vaccine signup sites, etc.) and malicious actors have jumped at the opportunity to set up numerous credential phishing and malware dropper sites,” he said. “Most of these sites mimic content from the Centers for Disease Control and Prevention (CDC), the European Center for Disease Prevention and Control (ECDC), or other health and government authorities. Looking at our telemetry, North America and EMEA accounted for 77% of the malicious pandemic traffic we saw in 2020.”
Cisco has seen a notable uptick in overall phishing activity, and the pandemic in part drove that spike, McBride said.
“The pandemic has us thirsty for information (e.g., free testing sites, vaccine signup sites, etc.) and malicious actors have jumped at the opportunity to set up numerous credential phishing and malware dropper sites,” he said. “Most of these sites mimic content from the Centers for Disease Control and Prevention (CDC), the European Center for Disease Prevention and Control (ECDC), or other health and government authorities. Looking at our telemetry, North America and EMEA accounted for 77% of the malicious pandemic traffic we saw in 2020.”
A majority of Cisco customers encountered DNS activity last year, with high percentages of phishing, malvertising, malicious spam, trojans and more.
Cisco’s Threat Trends: DNS Security report analyzed data from Cisco Umbrella, the company’s cloud-based network security platform.
DNS, or domain name system, connects browsers to websites. DNS can be an attractive mechanism for malicious activities.
Among the DNS activity findings: Users in 70% of organizations got malicious browser ads. Furthermore, 51% of organizations encountered ransomware-related activity. Another 48% found information-stealing malware activity.
Cisco’s Ben Nahorney
Ben Nahorney is a threat intelligence analyst at Cisco Security.
“In today’s threat landscape, the idea that ‘no one is an island’ holds true for threats,” he said. “The most prevalent attacks these days leverage a variety of threats at different stages. For example, let’s look at how Emotet is often delivered by phishing in order to deploy Ryuk as a payload. If you find one threat within your network, it’s wise to investigate what threats have been observed working in tandem with it and take precautionary measures to prevent them from causing further havoc.”
Austin McBride is a data scientist at Cisco Umbrella.
“What I want to highlight most would be the growth in usage of multi-staged attacks,” he said. “If you get hit with Emotet, there is a good chance you could get hit with follow-up malware like ransomware. So, if you see Emotet or Ursnif/Gozi in your logs, you might want to be on the lookout for follow-up malware.”
Impact of Cryptomining
Cisco’s Austin McBride
Cryptomining impacted some 69% of organizations. That means at least one endpoint within an organization attempted to mine cryptocurrency above a minimum threshold.
“Organizational impact depends on the extent of mining happening in that environment,” McBride said. “At its most basic level, cryptomining can reduce the life of your hardware, clog your bandwidth, and drive up your AWS compute costs depending on how the miner has been configured. In the worst-case scenario, a malicious actor infiltrated your environment and set up a miner to make passive income while they perused your environment for data to exfiltrate or to exploit your environment further with follow-up malware. Bottom line, if you see a lot of cryptomining traffic, you should investigate to avoid a potential indicator of compromise (IOC).”
Our slideshow above shows the list of malicious DNS activity.
Read more about:
MSPsAbout the Author(s)
You May Also Like