In a new report, cyber security researchers have highlighted just how widespread malware threats really are, illuminating the dangers of threats specific to DNS infrastructure.
Last year, between 10% and 16% of organizations saw DNS traffic originating on their networks towards command-and-control (C2) servers associated with botnets and other malicious threats.
Over 25% of that traffic was directed to servers belonging to initial access brokers (IABs); individuals who sell corporate network access to other cyber criminals, enabling them to launch ransomware attacks.
DNS, bots, malware
As cyber security researchers analyzed high volumes of malicious DNS traffic belonging to both enterprises and work-from-anywhere users, researchers observed several outbreaks and campaigns.
They observed the spread of FluBot, an Android-based malware that was making its way from one nation to the next, and the prevalence of criminal groups intent on descimating enterprises.
As noted previously, the clearest example of this appeared in the form of significant C2 traffic related to initial access brokers that deliberately breach corporate networks in order to then monetize network access.
Researchers were able to observe as many as seven trillion DNS requests per day.
Based on the data, researchers determined that over 30% of analyzed organizations with malicious C2 traffic are part of the manufacturing sector. Organizations in the business services sector, high tech, and commerce were also at-risk.
Researchers noted that the two top verticals in the DNS data, which consisted of manufacturing and business services, also reflect the top industries affected by Conti ransomware.
Breaking it down further
Researchers teased apart the C2 traffic data and came away with several additional insights. For instance, botnets accounted for 44% of the malicious C2 traffic. The largest botnet observed the enterprise-based C2 traffic is known as QSnatch. It relies on a bit of malware that specifically infects firmware of outdated QNAP network-attached storage devices.
First appearing in 2014, QSnatch remains active to this day. A mid-2020 advisory indicated that over 62,000 devices were infected worldwide. QSnatch prevents installation of security updates and is weaponized for credential scraping, password logging, remote access and data exfiltration.
The second most prominent threat category in the C2 DNS traffic analysis, as mentioned before, consisted of initial access brokers. The most sizeable threat in this group is Emotet, one of the most notorious botnets deployed for initial access into corporate networks.
How to counter DNS threats
Given the latest insights into malicious activity affecting enterprise networks via DNS, cyber security experts may wish to take steps to prevent negative potentialities. One means of doing so consists of conducting gap assessments, and closing gaps where relevant.
In addition, organizations that have not already done so should consider adopting Zero Trust principles. Microsegmentation, endpoint detection and response (EDR) and secure web gateways can prove of particular use.
Further, researchers recommend ensuring that network-attached storage (NAS) devices are secured appropriately. Segmentation and other tools can help.