Threats at the domain level are more frequent nowadays. The number of dangerous dormant domains is increasing, and analysts warn that around 22.3 percent of intentionally aged domains represent some form of risk.
When it was exposed that the SolarWinds threat actors depend on domains that were registered years before their malicious operations began, researchers were taken aback.
As a result, attempts to detect strategically aged domains before they can launch assaults or assist harmful activities have increased.
A report from Palo Alto Networks’ Unit42 discloses their researchers’ conclusions after scanning tens of millions of domains per day in September 2021.
They concluded that around 3.8 percent are malicious, 19 percent are suspicious, and 2 percent are hazardous to workplaces.
The purpose of registering a domain before threat actors utilize it is to generate a “clean record” that will prevent security detection systems from compromising the success of harmful campaigns.
Because newly registered domains (NRDs) are more likely to be malicious, security solutions treat them as suspicious and have a higher likelihood of flagging them.
According to BleepingComputer, a quick increase in a domain’s traffic suggest it is most likely malicious, while traffic for legitimate services with domains registered months or years ago develops gradually.
On the other hand, illegitimate domains usually have incomplete, contentious, or copied material, also no WHOIS registrant information.
The DGA (domain generation algorithm) subdomain generation process is responsible for generating unique domain names and IP addresses, might also suggest an old domain built with malicious intent in mind.
According to Unit42’s analysis, strategically aged domains are three times more likely to be malicious than NRDs.
In other situations, these domains were dormant for two years before their DNS traffic jumped 165 times, signaling the start of an attack.
A figure to represent the statistics of the examined domains:
Researchers explain that before initiating an assault campaign on a domain, threat actors may register it. This method is motivated by a variety of factors. To begin with, the older a domain is, the more likely it is to avoid reputation-based detection.
Second, C2 domains associated with APTs might go dormant for years. APT trojans only send limited “heartbeat” traffic to their C2 servers during the idle phase. The C2 domain will see a considerable increase in penetration traffic once attackers select targets.
As a result, it’s critical to keep an eye on domain activity and look for risks lurking behind old names with unusual traffic spikes.
Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud. Want a consultation with the professionals at Rogue Logics? contact us and get a free quote.