Cisco Report: DNS Activity Shows Glut of Phishing, Trojans, More

In today’s threat landscape, the idea that no one is an island holds true for threats.

Edward Gately, Senior News Editor

March 12, 2021

6 Slides

A majority of Cisco customers encountered DNS activity last year, with high percentages of phishing, malvertising, malicious spam, trojans and more.

Cisco’s Threat Trends: DNS Security report analyzed data from Cisco Umbrella, the company’s cloud-based network security platform.

DNS, or domain name system, connects browsers to websites. DNS can be an attractive mechanism for malicious activities.

Among the DNS activity findings: Users in 70% of organizations got malicious browser ads. Furthermore, 51% of organizations encountered ransomware-related activity. Another 48% found information-stealing malware activity.


Cisco’s Ben Nahorney

Ben Nahorney is a threat intelligence analyst at Cisco Security.

“In today’s threat landscape, the idea that ‘no one is an island’ holds true for threats,” he said. “The most prevalent attacks these days leverage a variety of threats at different stages. For example, let’s look at how Emotet is often delivered by phishing in order to deploy Ryuk as a payload. If you find one threat within your network, it’s wise to investigate what threats have been observed working in tandem with it and take precautionary measures to prevent them from causing further havoc.”

Austin McBride is a data scientist at Cisco Umbrella.

“What I want to highlight most would be the growth in usage of multi-staged attacks,” he said. “If you get hit with Emotet, there is a good chance you could get hit with follow-up malware like ransomware. So, if you see Emotet or Ursnif/Gozi in your logs, you might want to be on the lookout for follow-up malware.”

Impact of Cryptomining


Cisco’s Austin McBride

Cryptomining impacted some 69% of organizations. That means at least one endpoint within an organization attempted to mine cryptocurrency above a minimum threshold.

“Organizational impact depends on the extent of mining happening in that environment,” McBride said. “At its most basic level, cryptomining can reduce the life of your hardware, clog your bandwidth, and drive up your AWS compute costs depending on how the miner has been configured. In the worst-case scenario, a malicious actor infiltrated your environment and set up a miner to make passive income while they perused your environment for data to exfiltrate or to exploit your environment further with follow-up malware. Bottom line, if you see a lot of cryptomining traffic, you should investigate to avoid a potential indicator of compromise (IOC).”

Our slideshow above shows the list of malicious DNS activity.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like