Infoblox, a cloud networking and security services provider, has found a surge in domain name server (DNS)-based cyberthreats and increasingly sophisticated adversaries leveraging AI-enabled deepfakes, malicious adtech* and evasive domain tactics.
 |
| Source: Infoblox. Cover for the 2025 DNS Threat Landscape Report. |
The company's 2025 DNS Threat Landscape Report, released in early August, uses pre-attack telemetry and real-time analysis of DNS queries from thousands of customer environments—with over 70 billion DNS queries per day—to offer a comprehensive view into how threat actors exploit the DNS to deceive users, evade detection and hijack trust.
“This year’s findings highlight the many ways in which threat actors are taking advantage of DNS to operate their campaigns, both in terms of registering large volumes of domain names and also leveraging DNS misconfigurations to hijack existing domains and impersonate major brands,” said Dr RenĂ©e Burton, head of Infoblox Threat Intel.
“The report exposes the widespread use of traffic distribution systems (TDS) to help disguise these crimes, among other trends security teams must look out for to stay ahead of attackers.”
Since its inception, Infoblox Threat Intel has identified a total of over 660 unique threat actors and more than 204,000 suspicious domain clusters, meaning a group of domains believed to be registered by the same actor. Over the past 12 months, Infoblox researchers have published research covering 10 new actors. They have uncovered more about malicious adtech as well.
Report highlights include:
- Of the 100.8 million newly-observed domains in the past year, one in four (25.1%) were classified as malicious or suspicious.
- Nearly all (95%) of threat-related domains were observed in only one customer environment, underscoring the challenges to the security industry to detect and stop threats.
- Eight in 10 customer environments (82%) queried domains associated with malicious adtech, which rotate a massive number of domains to evade security tools and serve malicious content.
- Nearly 500k TDS domains were seen in the last 12 months within Infoblox networks.
- Daily detection of DNS tunnelling, exfiltration, and command and control, including activities from adversary simulation tool Cobalt Strike, open source adversary emulation tool Sliver, as well as via custom tools, which require machine learning (ML) algorithms to detect.
Over the year, threat actors continuously registered, activated and deployed new domains, often in very large sets through automated registration processes. By increasing their number of domains, threat actors can bypass traditional forensic-based defences–which are built on a “patient zero” approach to security. This reactive approach relies on detecting and analysing threats after they have already been been successful somewhere else in the world - after the first victim, or patient zero, has been created. As attackers leverage more infrastructure, the sheer volume of information makes this approach becomes ineffective.
The report also found that actors are using these domains for an array of malicious purposes, from creating phishing pages to deploying malware through drive-by downloads, as well as engaging in fraudulent activities and scams, such as fake cryptocurrency investment sites.
These findings underscore a pressing need for organisations to be proactive in the face of AI-equipped attackers, Infoblox said, adding that investing in preemptive security can be the deciding factor in successfully thwarting threat actors. Infoblox has a protective DNS solution that uses predictive threat intelligence to block 82% of threat-related queries before their initial impact.
Explore
Read the Infoblox DNS Threat Landscape Report 2025 at https://www.infoblox.com/resources/report/infoblox-2025-dns-threat-landscape-report
*Infoblox defines advertising technology or adtech as "the collection of technologies and tactics marketeers use to increase the effectiveness of their efforts by engaging online audiences in a highly targeted fashion". According to the company, adtech encourages victims to take high-risk actions that can lead to phished credentials and unauthorised access.
No comments:
Post a Comment