Thousands of new domains are registered every day for businesses and individuals to build websites, but new research from Palo Alto Networks has found that cybercriminals often register malicious domains years before they intend to use them.
Cybersecurity firm Unit 42 began investigating dormant malicious domains after it was revealed that the threat actors behind the SolarWinds 2019 hack used them in their attack. To identify strategically aged areas and monitor their activity, Palo Alto Networks launched a cloud-based detector in September 2021.
According to the firm's researchers' findings, 22,3% of strategically aged domains present some form of compromise, with a small portion being downright malicious (3,8%), a majority being suspicious (19%), and some being dangerous. for them. two%).
The reason cybercriminals and other malicious actors allow a domain to age is to create a "blank record" so your domain is less likely to be locked out. On the other hand, newly registered domains (NRDs) are more likely to be malicious and for this reason are often flagged as suspicious by security systems. However, according to Palo Alto Networks, strategically aged domains are three times more likely to be malicious than NRDs.
Detect inactive malicious domains
When a sudden spike in traffic is detected, it often happens that a strategically aged domain is actually malicious. This is because normal websites often see their traffic increase gradually from the moment they are created, as more and more people visit a site after learning about it through word of mouth or advertising.
At the same time, domains that are not intended for legitimate purposes often have incomplete, cloned, or questionable content, and usually also lack WHOIS owner details. Another sign that a domain has been registered and intended to be used later in malicious campaigns is the generation of DGA subdomains.
For those unfamiliar, the Domain Generation Algorithm or DGA is a method used to generate domain names and IP addresses that will serve as Command and Control (C2) communication points used to evade detection and block lists. By simply examining the sites using DGA, Palo Alto Networks' cloud-based detector was able to identify two suspicious domains each day.
During its investigation, the cybersecurity firm uncovered a Pegasus espionage campaign using two C2 domains registered in 2019 that were eventually activated two years later in July 2021. Palo Alto Networks researchers also discovered campaign networks using subdomains. DGA and generic DNS. abuse.
We've also highlighted the best web hosting, the best endpoint protection software, and the best malware removal software.
Through the beep of the computer