{"id":51110,"date":"2023-03-14T21:50:00","date_gmt":"2023-03-14T21:50:00","guid":{"rendered":"https:\/\/www.csoonline.com\/article\/3690518\/dns-data-shows-one-in-10-organizations-have-malware-traffic-on-their-networks.html#tk.rss_security"},"modified":"2023-03-14T21:50:00","modified_gmt":"2023-03-14T21:50:00","slug":"dns-data-shows-one-in-10-organizations-have-malware-traffic-on-their-networks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/dns-data-shows-one-in-10-organizations-have-malware-traffic-on-their-networks\/","title":{"rendered":"DNS data shows one in 10 organizations have malware traffic on their networks"},"content":{"rendered":"
<\/div>\n

During every quarter last year, between 10% and 16% of organizations had DNS traffic originating on their networks towards command-and-control (C2) servers associated with known botnets and various other malware threats, according to a report from cloud and content delivery network provider Akamai<\/a>.<\/p>\n

More than a quarter of that traffic went to servers belonging to initial access brokers, attackers who sell access into corporate networks to other cybercriminals, the report stated. \u201cAs we analyzed malicious DNS traffic of both enterprise and home users, we were able to spot several outbreaks and campaigns in the process, such as the spread of FluBot, an Android-based malware moving from country to country around the world, as well as the prevalence of various cybercriminal groups aimed at enterprises,\u201d Akamai said. \u201cPerhaps the best example is the significant presence of C2 traffic related to initial access brokers (IABs) that breach corporate networks and monetize access by peddling it to others, such as ransomware as a service (RaaS) groups.\u201d<\/p>\n

Akamai operates a large DNS infrastructure for its global CDN and other cloud and security services and is able to observe up to seven trillion DNS requests per day. Since DNS queries attempt to resolve the IP address of a domain name, Akamai can map requests that originate from corporate networks or home users to known malicious domains, including those that host phishing pages, serve malware, or are used for C2.<\/p>\n

Malware could affect a very large pool of devices<\/h2>\n

According to the data, between 9% and 13% of all devices seen by Akamai making DNS requests every quarter, tried to reach a malware-serving domain. Between 4% and 6% tried to resolve known phishing domains and between 0.7% and 1% tried to resolve C2 domains.<\/p>\n

The percentage for C2 domains might seem small at first glance compared to malware domains but consider we’re talking about a very large pool of devices here, capable of generating 7 trillion DNS requests per day. A request to a malware-hosting domain doesn’t necessarily translate to a successful compromise because the malware might be detected and blocked before it executes on the device. However, a query for a C2 domain suggests an active malware infection.<\/p>\n

Organizations can have thousands or tens of thousands of devices on their networks and one single compromised device can lead to complete network takeovers, as in most ransomware cases, due to attackers employing lateral movement techniques to jump between internal systems. When Akamai’s C2 DNS data is viewed per organization, more than one in 10 organizations had an active compromise last year.<\/p>\n