In 2024, the landscape of DNS-sourced threats evolved significantly, showcasing new evasion techniques that exploit unprotected domains to access credentials and execute fraud. Infobloxβs extensive data collection revealed a staggering rise in registered domain generation algorithms (RDGAs), lookalike domains, and sophisticated tactics like Traffic Distribution Systems and DNS tunneling, stressing the importance of proactive DNS protection strategies for organizations. Affected: organizations, consumers, cybersecurity sectors
Keypoints :
- DNS-sourced threats have evolved due to awareness of advanced controls like EDR and Next-Gen Firewalls.
- Infoblox compiled billions of DNS events and introduced 20 million new indicators to enhance protection.
- Registered Domain Generation Algorithms (RDGAs) proliferated, with an average of 11,000 discovered daily.
- Lookalike domains mislead users, with many remaining active for over 1000 days.
- Traffic Distribution Systems (TDSs) obfuscate malicious content, affecting over 50% of customer networks.
- Sitting duck attacks on existing domains have become prevalent, with over 1 million domains being vulnerable.
- DNS Tunneling is increasingly sophisticated, evading traditional security measures.
- Actor Muddling Meerkatβs activities raise concerns about nation-state involvement in probing DNS networks.
- Infoblox advocates for incorporating domain protection into defense-in-depth strategies.
MITRE Techniques :
- Domain Generation Algorithm (T1070.001) β Adversaries create numerous domain names programmatically for various attack vectors.
- Lookalike Domain (TLD) β Domains that resemble legitimate ones trick users into disclosing sensitive information.
- Traffic Distribution System (T1071.001) β Malicious routing of victims through complex domain name mazes to obscure threats.
- Exploitation of Existing Domains (T1070) β Hijacking domains to bypass security controls, leveraging their perceived benign reputation.
- DNS Tunneling (T1071.004) β Utilizing DNS communications to exfiltrate data and bypass firewalls.
Indicator of Compromise :
- Domain: infoblox.com
- Domain: blogs.infoblox.com
- Domain: infoblox.com/threat-intel/
- IP Address: (not explicitly stated)
- Email Address: (not explicitly stated)
Full Story: https://blogs.infoblox.com/threat-intelligence/2024-dns-threat-landscape/