Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/23/2016
03:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

More Than 90 Percent of Newly Observed Malicious Domains Worldwide Hosted in the U.S. and Germany, According to the Infoblox DNS Threat Index

Creation of malicious DNS infrastructure rebounds to near record levels in the fourth quarter of 2015

Santa Clara, Calif.
Wednesday, March 23, 2016

Infoblox Inc. (NYSE:BLOX), the network control company, today announced the Infoblox DNS Threat Index, which measures the creation of malicious Domain Name System (DNS) infrastructure, unexpectedly rebounded to near record levels in the fourth quarter of 2015. Infoblox researchers also found that 92 percent of newly observed malicious domains in Q4 were hosted in either the United States or Germany.

After dipping in Q3 2015, the Infoblox DNS Threat Index in Q4 2015 increased to 128—near the record high of 133 established in Q2 2015. This is a rise of 49 percent from Q4 2014, and an increase of five percent from the previous quarter, meaning the number of malicious domains is increasing from quarter to quarter and year to year.

The results break with previous cycles where record high threat levels (indicating the “planting” of malicious new infrastructure) were followed by several quarters of relative quiet as cybercriminals used that infrastructure to harvest data and harm victims. This also means the threat index for all of 2015 has been well above its historical average, meaning that organizations of all sizes and types continue to face unrelenting attacks.

“Our findings may indicate we’re entering a new phase of sustained and simultaneous plant/harvest activity,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “As we see this escalation of efforts by cybercriminals, it is essential we go after the infrastructure that cybercriminals are using to host these domains. So, for the first time, we are using the index to highlight the countries with the most hosting locations for bad domains.”

The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014.

DNS is the address book of the Internet, translating domain names such as www.google.com into machine-readable Internet Protocol (IP) addresses such as 74.125.20.106. Because DNS is required for almost all Internet connections, cybercriminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.

U.S. Top Country for Infected Systems

Infoblox found that the clear country of choice for hosting and launching attacks using malicious DNS infrastructure in Q4 2015 was the United States, which accounted for 72 percent of newly observed malicious domains. Germany (20 percent) was the only other country to account for more than two percent of the observed malicious sites. While much cybercrime originates from hotspots in Eastern Europe, Southeast Asia, and Africa, this analysis shows the underlying infrastructure used to launch the attacks themselves sits elsewhere—in the backyard of the world’s top economies.

It is important to note that the geographical information is not an indication of “where the bad guys are,” since exploit kits and other malware can be developed in one country, sold in another, and used in a third to launch attacks through systems hosted in a fourth. But it does suggest which countries tend to have either lax regulations or policing, or both.

“It would be a silver lining if U.S. hosting providers were quick to take down malicious content at dangerous domains once they’re identified, but they are not,” said Lars Harvey, vice president of security strategy at Infoblox. “The fact of the matter is that many hosting providers can be slow to respond, allowing exploits to propagate for considerably longer than they should. This should be a key area of focus for improvement.”

Old Exploit Kit Re-emerges

Exploit kits are a particularly alarming category of malware because they represent the automation of cybercrime. A small number of highly skilled hackers can create the kits, which are packages for delivering a malware payload, and then sell or rent these toolkits to ordinary criminals with little technical experience. This can vastly increase the ranks of malicious attackers capable of going after individuals, businesses, schools, and government agencies.

While Angler continues to lead DNS exploit kit activity, RIG—an older kit that has been far back in the pack in usage during previous quarters—surged into second place. Infoblox analysis of RIG activity in 2015 shows that it began using domain shadowing techniques similar to those pioneered by Angler to defeat reputation-based blocking strategies. This indicates that as exploit kits are updated in coming years, there may be a reappearance of past threats in a new guise or location.

For details on methodology and to read the full Infoblox DNS Threat Index report for the fourth quarter of 2015, go to www.infoblox.com/dns-threat-index.

About Infoblox

Infoblox (NYSE:BLOX) delivers critical network services that protect Domain Name System (DNS) infrastructure, automate cloud deployments, and increase the reliability of enterprise and service provider networks around the world. As the industry leader in DNS, DHCP, and IP address management, the category known as DDI, Infoblox (www.infoblox.com) reduces the risk and complexity of networking.

Forward-looking and Cautionary Statements—Infoblox

Certain statements in this release are forward-looking statements, which involve a number of risks and uncertainties that could cause actual results to differ materially from those in such forward-looking statements. As such, this release is subject to the safe harbors created by U.S. Federal Securities Laws. The risks and uncertainties relating to these statements include, but are not limited to, risks that there may be design flaws in the company’s products, shifts in customer demand and the IT services market in general, shifts in strategic relationships, delays in the ability to deliver products, or announcements by competitors. These and other risks may be detailed from time to time in Infoblox’s periodic reports filed with the Securities and Exchange Commission, copies of which may be obtained from www.sec.gov. Infoblox is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements whether as a result of new information, future events, or otherwise.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.