2024 DNS Threat Landscape

Share On Facebook
Share On Twitter
Share On Linkedin

Authors: Bart Lenaerts and Tom Grimes

 

Expert observations from the frontlines

In 2024, DNS-sourced threats evolved with new evasion and stealth techniques. Actors have become aware of advanced controls like EDR, Next-Gen Firewalls, and Cloud protections that customers have put in place. As a result, the battlefield is shifting. Easy-to-reach digital assets outside the organization, like domains, form a critical cybersecurity battlefield, allowing actors to access credentials, execute fraud schemes, and cause data leakage without being detected.

At Infoblox, we collect billions of DNS events from thousands of organizations around the globe. Our intel team combines these events with domain registration data, passive DNS, and insights from multiple technology partners to build a unique view of the malicious usage of domains.

In 2024, we added 20 million new indicators and provided an average of 63 days of protection before a malicious domain was actively used. We also named multiple new DNS actors, bringing the total to 94 Infoblox actors, and we expect this number to keep growing. These numbers demonstrate how actors continue to weaponize DNS and highlight the opportunity to advance defense-in-depth strategy with domain-based protection. During a recent online seminar, Infoblox experts shared key observations, providing additional insights into how actors used DNS to stage and execute their attacks.

Observation 1: Proliferation of Registered Domain Generation Algorithm (RDGA)

RDGAs are programmatic mechanisms used by actors to create numerous domain names simultaneously or over time. Adversaries use RDGAs within their criminal infrastructure to execute a broad spectrum of attacks like phishing, spamming, malvertising, and data exfiltration1. The true danger of RDGAs is that it takes researchers months to analyze and mitigate these threats, while it only takes a day for malicious actors to register thousands of new domains.

In 2024, Infoblox Threat Intelligence discovered an average of 11,000 new RDGAs per day. Actors do this because the supply of new domains is unlimited, and no one is currently stopping them. This unchecked proliferation of RDGAs was the top technique seen in 2024 and transforms the internet into a more dangerous place.

Infoblox Threat Intel identified actors, such as Prolific Puma, registering 75,000 unique domain names over the past years to provide illicit link-shortening services. These services, similar to legit TinyURL, allow affiliates to reroute victims through malicious sites without being detected or discovered by threat researcher teams.

Observation 2: Lookalike domains trick consumers and corporate users

Lookalike domains are domains that closely resemble legitimate ones, often created to deceive users. These domains trick individuals into believing they are interacting with a trusted site and expose the victim to disclosing critical data like credentials or personal information.

The technique affects both corporations and consumers and is a widespread problem. In 2024, Infoblox discovered the usage of lookalike domains during key events like the Olympics2 and elections across the globe. It is important to note that these domains were carefully created months in advance to grab the attention and execute fraud later. Other examples of lookalike domains were discovered to bypass multi-factor authentication and abused names from identity access platforms.

A large majority of these domains (+60%) remain active for extended periods (+1000 days), and the usage of industry watchlists is ineffective as they only block a small percentage (20%). Understanding the threat posed by lookalike domains and taking proactive steps to mitigate their impact is essential for maintaining online security, protecting individual employees and the reputation of the organization.

Observation 3: Cloaking malicious content via Traffic Distribution System (TDS)

Traffic Distribution Systems are sophisticated mechanisms used by malicious actors to route victims through a complex maze of domain names, effectively throwing off researchers. Unlike broad “spray and pray” campaigns, TDSs also allow actors to target specific audiences based on characteristics like geographic region, endpoint type, browser, and more.

In 2024, TDSs have become the second most important discovered tactic, with over 600,000 discovered domains. Alarmingly, 50% of customer networks had interactions with TDSs, indicating the widespread nature of this technique threat. Actors also continue to build out and update TDSs because it is a major source of income. These cloaking services are offered on the dark web to affiliates.

The danger of TDSs lies in its underreporting by the security industry. Understanding and mitigating TDSs requires deep insights into DNS and adversary infiltration to comprehend the mechanisms behind these networks. As a result, some TDSs have been around for years and are resilient to mitigations. In 2024, several notable actors have been observed using TDSs including Vextrio Viper, Vigorish Viper, Prolific Puma, and Savvy Seahorse.3

Observation 4: Existing domains are vulnerable

Actors target existing domains using sitting duck attacks. This method involve hijacking domains for their positive reputation, allowing actors to bypass security controls. Most of the hijacked domains are perceived as safe or benign, enabling adversaries to put their malicious infrastructure directly in front of new victims. Unfortunately, many organizations overlook this risk.

In 2024, sitting duck attacks gained prevalence. Infoblox Threat Intel estimated that more than 1 million domains are vulnerable to this attack. During a specific monitoring initiative in the summer of 2024, 70,000 domains were hijacked from a pool of 800,0004. This highlights the scale of the problem and the need for robust security measures.

Multiple actors use these techniques systematically. The ease with which these attacks can be executed and the difficulty for security teams to detect make them particularly dangerous. The low entry barrier to executing sitting duck cyber-attacks, combined with the obfuscation techniques that can be applied, attracts many cybercrime groups. This has led to an inevitable upward spiral of attacks.

Actors known to be exploiting this attack in 2024 include Vextrio Viper, Vigorish Viper, Horrid Hawk, and Hasty Hawk. These actors have demonstrated the effectiveness of sitting duck attacks and underscoring the need for heightened vigilance and improved security practices to combat these threats.

Observation 5: Sophistication in DNS Tunneling

DNS Tunneling is a technique used by malicious actors to bypass firewalls and exfiltrate data. It is as simple as that. However, the implications are far-reaching and complex.

The primary issue with DNS Tunneling is its increasing sophistication. Actors continuously switch domains and implement quiet periods before tunneling starts. This tactic is used to mislead detonation tools or dynamic analysis from sandboxes, making it harder for security teams to detect and respond to the threat.

In 2024, the importance of addressing DNS Tunneling has grown significantly, with hundreds of second-level domains using this technique. DNS Tunneling is a global issue because it is used by both malicious actors and penetration testers. Many pen-testing tools incorporate DNS Tunneling, making it a widely recognized method for both offensive and defensive purposes. Several customers fail compliance because DNS Tunneling used during red-teaming exercises goes undetected. As a result, they faced expensive mitigations, and ineffective defenses were reported to the board.

The danger of DNS Tunneling lies in its ability to evade detection from Network Detection and Response (NDR) or Extended Detection and Response (XDR) tools. This makes it a particularly insidious threat that requires deep insights into DNS which most security teams lack.

In 2024, notable examples of DNS Tunneling include the actor Alphv/Black Cat, also mentioned by both the FBI and CISA.5

Observation 6: Mystery behind the Great Chinese Firewall

Earlier this year, Infoblox Threat Intel posted an extensive report on a sophisticated actor named Muddling Meerkat. While some of the mystery remains, indicators may be linked to a nation-state nexus that probes DNS networks through open resolvers. Another discovered tactic includes inducing false MX Records with Chinese IP addresses, highlighting the advanced capabilities and determination to evade detection. One hypothesis suggests that this actor is executing these operations as part of an internet mapping effort.

We collaborated with other researchers and received confirmation on the behavior of this actor. Based on our findings, we published special recommendations6 to protect against espionage or the leakage of customer domain information. We will soon provide more details and encourage other researchers to come forward and contact us via Mastodon for further collaboration.

Defense In-Depth with DNS Protection

In 2024, threat actors continued to weaponize DNS for many threats. A common theme for 2024 DNS attack patterns is new levels of sophistication with the goal of evading existing detections. While actors’ goal is to go after identities and data, their early tactics include the weaponization of domains ahead and abuse of domains during, and after the compromise.

Malicious usage of DNS remains underreported in the security industry as most security vendors wait for a threat to materialize before investing in new protection techniques. The wait for patient zero creates a challenge for defenders as actors keep changing at unprecedented speed and scale, leaving organizations often unprotected for days. Now is the time to include protection against the malicious usage of domains as part of the enterprise defense-in-depth strategy to protect users, data, and reputation. By blocking malicious domains early on, even before a threat campaign materializes, the load on security tools and processes is reduced. In 2024 Infoblox enables security teams to block over 75% of malicious domains before victim interaction. More than just saving time, this approach allows an organization to improve its overall security posture and protect itself from costly expenses and loss of reputation.

To learn more about Infoblox Threat Intel visit https://www.infoblox.com/threat-intel/.

Footnotes

  1. https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/
  2. https://blogs.infoblox.com/threat-intelligence/olympics-scammers-take-their-marks-get-set-and-go/
  3. https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/
  4. https://blogs.infoblox.com/threat-intelligence/dns-predators-hijack-domains-to-supply-their-attack-infrastructure/
  5. https://blogs.infoblox.com/threat-intelligence/dns-early-detection-breaking-the-blackcat-ransomware-kill-chain/
  6. https://www.infoblox.com/threat-intel/threat-actors/muddling-meerkat/
  7. https://insights.infoblox.com/resources-report/infoblox-report-muddling-meerkat-the-great-firewall-manipulator
  8. https://mastodon.social/@InfobloxThreatIntel@infosec.exchange

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×