Security news that informs and inspires

How to Unearth Ransomware, Infostealer Trends From Malicious Domain Data

By

Ben Nahorney, threat intelligence analyst with Cisco, gives an inside look at Cisco’s “Cyber Threat Trends Report: From Trojan Takeovers to Ransomware Roulette” and talks about how his team digs into malicious DNS activity to unearth new insights about threat actor activity involving information stealers, ransomware and trojans.

Below is a lightly edited transcript of the conversation.

Lindsey O'Donnell-Welch: This is Lindsey O'Donnell-Welch with Decipher. I'm here today with Ben Nahorney, threat intelligence analyst with Cisco, and we're going to talk about Cisco's recent Cyber Threat Trends Report: From Trojan Takeovers to Ransomware Roulette. Ben, thanks so much for joining me today. How's it going?

Ben Nahorney: Doing well. Thanks for having me, Lindsey. Appreciate being on the podcast.

Lindsey O'Donnell-Welch: I was just reading over this report, there were a lot of really cool takeaways and it all stemmed from looking specifically at DNS data. That can tell us a lot about the prevalent threats out there and kind of how they work. Tell me a little bit about this report and the actual act of putting it all together.

Ben Nahorney: Sure, yeah, it's kind of an interesting angle to look at within the threat landscape, when we're looking at DNS related activity. Because when you think about how a lot of threats work in the modern era, you've got everything kind of connecting out to the internet, anything from a backdoor to infostealers exfiltrating data. Essentially, they all need internet related connectivity to carry out their malicious activity. So DNS activity is a great area to look at when it comes to seeing how active certain threats are and seeing what's actually happening in the threat landscape. So yeah, what we ended up doing with this report was taking a look at that data that we're seeing from the DNS side of things, and we have a lot of DNS security related features and tools out there within Cisco. Some of those biggest ones to talk about - two products would be Cisco umbrella and Cisco Secure Access, both of which monitor DNS related activity and offer a lot of functionality around blocking malicious threats.

So we see lots and lots of DNS activity within Cisco, so much so that we look at an average of around 715 billion DNS requests a day. So within that, we're looking at all the malicious activity that's there.

So, essentially, we're able to classify a lot of this activity into various categories. And that's what we looked at in the threat report that we released. It's a variety of stuff ranging from seeing inflostealer activity, ransomwares, trojans, backdoors, APTs, all sorts of different things. And then we looked to see what sort of activity was the most prevalent. Some of that can be very noisy, you know, being DNS related, but it shows you the proportion of traffic that we're seeing for all these different threats.

Lindsey O'Donnell-Welch: Yeah, how do you even begin to approach that data and look out for some of those patterns that you're talking about? It's so much data there and I'm sure that there are different specific characteristics that you need to kind of look at. How do you even start to do that?

"We're looking at that sort of data... and collectively bringing that together to ultimately see what larger trends we're seeing across our customer base which, gives given its size, gives us kind of a good representation of what we see in the larger threat landscape."

Ben Nahorney: Yeah, exactly. It's just a mountain of data. So we want to take all this data and put it in some form that's digestible for the average reader or the average security person or just anyone that might be interested in this sort of information. So ultimately what we kind of have done is we take all these things that we know are blocked and known blocked websites that we know are malicious. And these have been classified by Umbrella and by Secure Access into these different categories. So starting from there, you're still talking about millions and millions of blocks, basically. So a way that we thought would be kind of nice to put that into something that's understandable is we averaged out the monthly activity over a time frame. So what we're actually looking at in this report is data starting in August of 2023 through March of 2024.

And so then we basically… took a look at each month, and got an average over that time frame by month and used that as a basis to start looking at this activity, based on each one of these categories. So then taking that, when you have an average for the time frame, we're able to then compare each month. And so what we did is we looked to see whether a particular month was above average compared to the average for the whole time period or below average. And then that kind of teases out a trend that we can look at and examine to see ultimately if activity is increasing or decreasing over the timeframe that we looked at.

Lindsey O'Donnell-Welch: Yeah, that's a great way to approach it because then you can see, you know, month by month, but then also if there is a broader change, like you're talking about, then that's something that you can also kind of discern through that data.

How did you first sit down and kind of say, here's the different types of threat categories that we need to create, and then how did you look at the different clues of each activity and how it would fall into each category?

Ben Nahorney: Well, fortunately, a lot of this is actually done behind the scenes. So if someone is actually using something like Cisco Umbrella or Cisco Secure Access, they can actually look at their own information themselves, their own malicious blocks, and actually categorize these within the product. So we're actually taking these out of the product itself, these threat categories that we have, and looking at those in particular. um but they're largely automated as far as how they're actually detected and classified.

Now, some of that is interesting in the sense that you get into threat actors may be using particular domains that are brand new. Those would be generally flagged by Umbrella right away, say one customer sees something. Then ultimately, say it’s 24 hours old, it goes, wait a minute, that's a very new domain. Maybe this could be a little strange for suddenly popping up in a whole bunch of messages or say emails, for instance. It'll flag that as a new domain. Then there's some backend work that's done to look more carefully at that yeah URL, find out what's going on there. If it turns out to be that your aunt Jenny has created a new website to share famous cookie recipes, that's something that they'll realize, okay, this is all right. But if it is malicious activity, it gets categorized based on a whole variety of parameters within Umbrella itself.

And then ultimately those categories are present within the dashboards that you'd be looking at for that. What we're doing on our side basically is looking across the entire customer base and everything that people that are using Umbrella are seeing and are willing to share back with us - It's worth pointing out, it's an opt-in sort of situation, we're not just taking information from customers. We're ultimately making sure that it's something that they've agreed to do. So it's opt-in to start. So then we're looking at that sort of data from all that that customer base that's sharing with us and collectively bringing that together to to ultimately see what sort of larger trends we're seeing across our customer base which, gives given its size, gives us kind of a good representation of what we see in the larger threat landscape.

"Information stealers were the most prevalent."

Lindsey O’Donnell-Welch: Right, right. And can you talk a little bit about what trends you did see? And was there anything that really jumped out to you and surprised you in your different findings from the report?

Ben Nahorney: Yeah, actually there were a couple of really interesting things that I saw and it gave us some time to kind of look at this and sort of see some behavior that we're seeing from particular areas of the threat landscape. Probably the first one I'd bring up that was the most interesting I thought had to do with information stealers. Now, information stealers was our most active category this time around when we were looking at threat landscape-related activity on the DNS side. And that probably doesn't come as too much of a surprise if you stop to think about how much activity, or the way that that information information stealers would use an internet connection. Ultimately, you'd have a bad activist going in there and they are getting into an environment and then they're trying to find this PII or trade secret information and whatnot and trying to steal that.

So ultimately, what you're talking about then is a lot of DNS activity as they attempt to exfiltrate those secrets or information that they're stealing from an organization. So it is a little bit noisy. On top of that, we also categorize things like audio and video related threats that might be listening in on say conference calls or say WebEx calls or something along those lines. Those are the sort of things that would follow this classification too, and so that would also have a large amount of DNS activity.

So information stealers were the most prevalent. But what was really interesting about that was that we noticed a pattern fall within this activity. We would see about three months of above average activity, given the way that we were looking at this data, followed by one month where it was below average, for one month. Then three months, it was above average again, and then the following month below average.

So what we kind of theorize is happening in this case is we, what these bad actors, what they're probably doing is going out, they're gathering as much information as they can for three month periods. But, you know, it's one thing to gather that information, right? It's another thing to actually find that useful stuff that's in there. So what we think they're actually doing is three months of gathering and then they kind of dial back a bit. They don't drop their activity entirely for the month. but they dial it back a bit and maybe examine what they've already gathered for a month. So what you're talking about, is three months of gathering, one month of basically sifting through all that gathered information, and then they go back at it for another three months, and then take another month to dial it back and look at what they have.

Lindsey O’Donnell-Welch: That's a really interesting trend because I feel like it gives us a glimpse, too, of what's going on on the threat actor side of things. And that was one big part of the report that I thought was particularly fascinating was that you can make these potential correlations between the different data trends. For instance, you noted about the majority of backdoor activity being you know observed could be attributed to Cobalt Strike, but then you saw a spike of activity in October that coincided with a similar spike with RAT activity and that spike could be attributed potentially to the release of a new version of Cobalt Strike. How do you look at these different patterns and say what's really going on here behind the scenes and kind of between the lines?

"Ultimately it just comes down to monitoring that DNS traffic. Keep an eye on those logs on the DNS side and look out for malicious patterns and various things that could indicate malicious activity within your network."

Ben Nahorney: Yeah, there's a certain amount of looking at data and then trying to correlate it with what's happening, from anything from news articles to social media related activity, what people out there, researchers are talking about, and trying to see if there's something that correlates. This is really, there's a lot of interesting things that we can make educated guesses about what's actually happening out there. But one of the goals that I personally have with a lot of this is to extend this even further and try to figure out more specifically tying you know spikes to particular you know set activities, just like it is with Cobalt Strike. That's one of the easier ones to make a connection because you see the Cobalt Strike official software coming out with a new release. And lo and behold, there's more activity around that shortly thereafter. So ultimately, it's neat to be able to tie more of those together as we go through. Another interesting one that we saw was correlations between different categories entirely, one of those being ransomware and droppers. So when you look at the pattern, we would see month on month for ransomware, and you compare it to droppers, there were almost mirror images of each other - very little difference and or very little changes between the two charts.

And that seems pretty obvious that what you're probably seeing in that case is bad actors using droppers… and then attempting to seed ransomware through those droppers.

Lindsey O’Donnell-Welch: Were there other patterns that you noticed over time that really stood out to you?

Ben Nahorney: Yeah, there was one other that really caught me there and it ties in back to these droppers and ransomware. And that's that we had a direct correlation between those two, but however, when we looked at trojans, we actually seemed to see a reverse correlation in that during the timeframe as a whole, ultimately, these ransomware and droppers had low activity in the first part and then high activity.

What we saw was the opposite of trojans, where it was high activity at the beginning and low at the end. And what we believe is happening in this case is that the trojans are being used as a step prior to the droppers. They're using a variety of different trojans. It's a very large category. It was actually our second highest activity as far as all the different categories we saw. But there's, you know how Trojans are, they're kind of like a swiss army knife of malicious code, if you will. They can do all sorts of things. So they're a real useful tool for getting in there, compromising an organization, lateral movement, basically getting backdoor connections set up, reverse shells, etc., and being able to take over those networks. Then what the threat actor would end up doing is using the droppers, perhaps through a Trojan, and then using those droppers to get the ransomware payload. So what we're seeing is a lot of activity early on with those Trojans as they take over that network, followed by a drop in trojan activity as droppers and ransomware increases in activity.

Lindsey O’Donnell-Welch: Now, when you're looking at the report, are there any kind of takeaways there for businesses that are looking to defend against these types of threats? What did you find specifically in that area?

Ben Nahorney: So yes, there are a variety of things that they can do to protect against threats like this. Probably the most obvious, given what the subject matter we're talking about here, is to implement DNS filtering, to use various filtering services to block access to known malicious domains and IP addresses. But then also to leverage threat intelligence, to be able to basically keep up on the latest malicious hosts. You really want to stay up to date on that sort of list. They change all the time. So threat intelligence around malicious sites and using DNS security to block them. It can be a really helpful way to go about stopping that.

And then ultimately it just comes down to monitoring that DNS traffic. Keep an eye on those logs on the DNS side and look out for malicious patterns and various things that could indicate malicious activity within your network.