70% of malicious DNS traffic in tech is cryptomining, phishing: Cisco

Dive Brief:

Cryptomining and phishing account for 70% DNS traffic within the technology industry, according to a report from Cisco, using data collected from Cisco Umbrella. The tech industry had more cryptomining traffic than any other industry.
Cisco researchers theorize employees without knowledge of company policies attempting to install miners on work computers could have triggered cryptomining blocks in Umbrella. The financial sector, where employees are well-versed in cryptocurrency risks and violations, had the lowest levels of cryptomining activity.
Ransomware activity was overshadowed by cryptomining, accounting for 6% of DNS traffic in the tech sector. The Revil and Ryuk ransomware strains drove the push, also contributing to the 5% of trojan-related DNS activity.

Dive Insight:

Depending on where malicious activity is found — DNS security, secure web gateway, firewall, cloud access security broker functionality or threat intelligence — companies have a better chance of hardening defenses.

Cybersecurity professionals already anticipated an increase in threats for DNS security, according to a survey from Neustar International Security Council. Prior to the holidays in late 2020, 59% of security experts began updating their DNS security measures.

However, because the DNS landscape has grown complicated, 29% of security experts aren't entirely confident in their ability to respond to DNS threats, according to the Neustar survey.

The manufacturing industry had the closest semblance to the technology sector in malicious DNS activity. About half of DNS activity was rooted in cryptomining and 20% came from ransomware. "It turns out that the manufacturing sector is also the most likely to be impacted by ransomware," said Cisco. The report theorizes the high ransomware activity is due to big game hunting, or ransoms asking upwards of hundreds of thousands of dollars.

Because Revil and Ryuk leverage the Emotet and Trickbot trojans, the two types of DNS activity were closely linked. The financial sector had the highest levels of phishing-related traffic: 46% phishing and 31% trojan. "It’s possible that this sector is targeted by attackers through phishing more often than others simply because of its proximity to many bad actor’s end goal: money," the report said.

While SolarWinds investigations are still underway, determining if some of the DNS callouts contained victims' data in the SolarWinds hack, not all industries are as susceptible to information-stealing activity as others.

In general, the financial sector has the most information-stealing threats, with five-times more traffic than any other industry, according to Cisco. Almost half of companies experienced at least one case of information-stealing malware.

In the case of SolarWinds, the Sunburst malware beaconed out to the attacker-controlled DNS server. "These outgoing DNS requests and code victim machines domain name into the subdomain so that the attacker is able to identify victims," said Stephen Eckels, FLARE reverse engineer, at FireEye's Mandiant, during a SANS Institute webcast in January.

At that point, the attacker could vary their response to certain DNS requests, leading some victims to an upgrade to HTTP-based command and control (C2). It was at this point attackers decided if a company was worthy of a secondary attack.

If deemed a worthy target, the backdoor performs another DNS callout. Eventually the malware "continues to beacon over DNS simultaneously, so that it may receive other state transitions that tell it to keep running, shutdown, or otherwise sleep," said Eckels.