Latest news with #CobaltStrike
Scoop
5 days ago
- Business
- Scoop
Infoblox Unveils 2025 DNS Threat Landscape Report, Revealing Surge In AI-Driven Threats And Malicious Adtech
Press Release – Infoblox Based on pre-attack telemetry and real-time analysis of DNS queries from thousands of customer environmentswith over 70 billion DNS queries per daythe report offers a comprehensive view into how threat actors exploit DNS to deceive users, Infoblox, a leader in cloud networking and security services, today released its 2025 DNS Threat Landscape Report, revealing a dramatic surge in DNS based cyberthreats and the growing sophistication of adversaries leveraging AI-enabled deepfakes, malicious adtech and evasive domain tactics. Based on pre-attack telemetry and real-time analysis of DNS queries from thousands of customer environments—with over 70 billion DNS queries per day—the report offers a comprehensive view into how threat actors exploit DNS to deceive users, evade detection and hijack trust. 'This year's findings highlight the many ways in which threat actors are taking advantage of DNS to operate their campaigns, both in terms of registering large volumes of domain names and also leveraging DNS misconfigurations to hijack existing domains and impersonate major brands,' said Dr. Renée Burton, head of Infoblox Threat Intel. 'The report exposes the widespread use of traffic distribution systems (TDS) to help disguise these crimes, among other trends security teams must look out for to stay ahead of attackers.' Since its inception, Infoblox Threat Intel has identified a total of over 660 unique threat actors and more than 204,000 suspicious domain clusters, meaning a group of domains believed to be registered by the same actor. Over the past 12 months, Infoblox researchers have published research covering 10 new actors. They have uncovered the breadth and depth of malicious adtech, which disguises threats from users through TDS, driving industry thought leadership in this topic. This report brings together findings from the past 12 months to illuminate attack trends, equipping security teams with critical knowledge to keep their edge over bad actors. Particularly, the report sheds light on adtech's role in these attacks. Top Findings Of the 100.8 million newly observed domains in the past year, 25.1 per cent were classified as malicious or suspicious. 95 per cent of threat-related domains were observed in only one customer environment, underscoring the challenges to the security industry to detect and stop threats. 82 per cent of customer environments queried domains associated with malicious adtech, which rotate a massive number of domains to evade security tools and serve malicious content. Nearly 500k traffic distribution system (TDS) domains were seen in the last 12 months within Infoblox networks. Daily detection of DNS Tunnelling, exfiltration, and command and control, including Cobalt Strike, Sliver, and custom tools, which require ML algorithms to detect. Uptick in Newly Observed Domains Infoblox Threat Intel identified 100.8 million newly observed domains, with over 25 percent classified as malicious or suspicious. Over the year, threat actors continuously registered, activated and deployed new domains, often in very large sets through automated registration processes. By increasing their number of domains, threat actors can bypass traditional forensic based defences––which are built on a 'patient zero' approach to security. This reactive approach relies on detecting and analysing threats after they have already been used somewhere else in the world. As attackers leverage increasing levels of new infrastructure, this approach becomes ineffective––leaving organisations vulnerable. Actors are using these domains for an array of malicious purposes, from creating phishing pages to deploying malware through drive-by downloads, to engaging in fraudulent activities and scams, such as fake cryptocurrency investment sites. The Need for Preemptive Security These findings underscore a pressing need for organisations to be proactive in the face of AI equipped attackers. Investing in preemptive security can be the deciding factor in successfully thwarting threat actors. Using predictive threat intelligence, Infoblox's protective DNS solution blocked 82 percent of threat-related queries before their initial impact. Proactive protection, paired with consistent radar on emerging threats, tips the scales in favour of security teams—allowing them to pull ahead of attackers and interrupt their unlimited supply of domains. Access the full Infoblox DNS Threat Landscape Report 2025. Infoblox unites networking, security and cloud to form a platform for operations that's as resilient as it is agile. Trusted by 13,000+ customers, including 92 of the Fortune 100, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise. Visit or follow us on LinkedIn.
Arabian Post
22-07-2025
- Arabian Post
APT41 Espionage Strikes Southern African Government IT
A sophisticated cyber‑espionage campaign has targeted a government‑affiliated IT department in Southern Africa, with indicators pointing to the China‑linked APT41 group. Kaspersky's Managed Detection and Response team detected the intrusion via unusual activity on multiple workstations, prompting an in‑depth investigation and attribution to APT41 with high confidence. The attackers infiltrated the network by exploiting a publicly exposed web server, carrying out registry dumping to harvest credentials for a local administrator account and a backup solution account with domain‑wide privileges. These credentials enabled lateral movement and elevation of access across the organisation's network. Once embedded, the threat actors deployed a suite of both custom and public reconnaissance tools. A modified Pillager stealer was converted into a DLL to exfiltrate browser, database and admin tool credentials, screenshots, source code, active chats, email correspondence, and more. Additionally, the Checkout stealer captured browser history, downloaded files, stored passwords and credit card information. The attackers also utilised RawCopy and a Mimikatz DLL to extract registry secrets, while Cobalt Strike served as their primary command‑and‑control mechanism. ADVERTISEMENT Unusually, the attackers leveraged the internal SharePoint server as a covert C2 channel, embedding a custom web‑shell to send and receive commands. This tactic allowed them to mask illicit operations within legitimate internal communications, minimising suspicion. Further probing revealed use of Impacket modules WmiExec and Atexec, which fetched reconnaissance outputs and exfiltrated SAM and SYSTEM registry hives from compromised hosts. A later phase of the operation involved the deployment of a malicious HTA file via a domain impersonating GitHub, used to establish a reverse shell—locking down persistent access. This marks one of APT41's most comprehensive operations in Africa, a region previously experiencing minimal activity from this actor. Analysts highlight the full deployment of the group's TTPs—spanning stealthy reconnaissance, lateral movement, data harvesting, and covert command channels. Denis Kulik, Lead SOC Analyst at Kaspersky MDR, emphasised the challenge such campaigns present: 'Defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure'. Culprits' integration of both bespoke stealer implants and legitimate tools like Mimikatz and Cobalt Strike underlines their adaptive and stealthy approach. The incident underscores growing cyber‑espionage interest in African government IT systems. APT41, active across 42 countries, now appears to be intensifying surveillance operations on the continent. Organisations are urged to ensure full security agent deployment across endpoints, enforce least privilege principles, and monitor internal services rigorously. Kaspersky also recommends adopting advanced solutions such as EDR/XDR and managed detection and response services, along with threat intelligence offerings to anticipate and counter complex intrusions.
Yahoo
20-05-2025
- Business
- Yahoo
Check Call: Cybersecurity threats come from everywhere
Cybersecurity company Trellix has released 'The Cyberthreat Report – April 2025.' The report identifies insights into cybersecurity threats as well as how to make actionable plans on fighting cyber criminals. The report has thrown a spotlight on an alarming 136% surge in advanced persistent threat (APT) detections against U.S. organizations in Q1 2025. The report paints a grim picture of an increasingly volatile digital battlefield, where critical sectors like telecommunications and transportation are under relentless assault. 'The landscape is acute,' said John Fokker, head of threat intelligence at Trellix in a preface of the report. 'The escalation of actor activity and increasing complexity of attack chains shouldn't be overlooked. It's clear we need a comprehensive, proactive cybersecurity strategy — one that's dynamic enough to defend against multi-vector threats.' Among the most targeted sectors, telecommunications experienced a staggering 92% increase in APT detections, with attackers favoring industries vital to infrastructure and national security. Transportation and shipping were next in line, reflecting the strategic interest of state-sponsored groups in disrupting supply chains and communication systems. The report reveals how bad actors are evolving by exploiting known vulnerabilities, deploying sophisticated post-exploitation frameworks and even targeting cybersecurity tools themselves to erode organizational defenses from within. 'Threat actors are not just outpacing outdated defense models — they're subverting the very tools meant to detect and stop them,' Fokker added. A particularly disturbing trend is the increasing integration of artificial intelligence into cybercrime. Trellix researchers found tools capable of real-time voice cloning in multiple languages, potentially revolutionizing phishing and social engineering tactics. Meanwhile, low-cost AI services to process stolen credentials and automate fraud, available for as little as 30 cents, are proliferating in underground forums. Trellix's report also emphasized the growing threat from 'living off the land' techniques, in which attackers exploit legitimate tools already present in IT environments — making detection harder and post-breach investigation more complex. In several cases, APT groups were seen leveraging open-source offensive tools such as Cobalt Strike and Sliver, along with zero-day vulnerabilities, to maintain stealth and persistence. Amid this terrifying fraud landscape, Trellix also published mitigation strategies. The company recommends organizations adopt an extended detection and response framework that integrates AI and machine learning. Proactive threat hunting, zero trust architecture and continuous user behavior analytics are also critical in building resilience. 'As AI reshapes both cyber offense and defense, organizations must modernize their security stacks. Sticking with reactive or fragmented systems is no longer sufficient,' the report concludes. Enterprises, especially in high-risk sectors, must move beyond compliance-based strategies and embrace threat-informed, adaptive security postures. The full report is available here. To catch the rest of the stories in Check Call subscribe to the newsletter and get it delivered to your inbox every Tuesday at 2pm. Or watch the latest episode on YouTube The post Check Call: Cybersecurity threats come from everywhere appeared first on FreightWaves.
