Introduction

To protect our users, Quad9 blocks DNS lookups of malicious host names from an up-to-the-minute list of threats. This blocking action protects your computer, mobile device, or IoT systems against a wide range of threats, such as malware, phishing, spyware, and botnets, and it can improve performance and privacy. This blogpost provides security insights on the threats blocked by Quad9 DNS between July and December 2024. The report combines DNS telemetry data and open-source intelligence with statistics and analysis to provide security insights on the top malicious domains visited by our users and blocked by Quad9 DNS. Additionally, the post presents key regional threats targeting Quad9 users.

Top Global Threats

Omnatour malvertising campaigns continue to plague users globally. Previously highlighted in our Cyber Insights reports, these attacks hijack browser settings to distribute harmful riskware. Cybercriminals exploit compromised websites to deliver spyware, employing sophisticated evasion techniques to avoid detection. The persistence of such campaigns underscores the critical importance of robust cybersecurity measures such as Quad9 DNS to protect against these evolving threats. In H2 2024, the top 10 domains blocked by Quad9 were attributed to the Omnatour malvertising network and those queries originated from countries such as Bangladesh, India and Ecuador.

The Polyfill.io Supply Chain Attack

The Polyfill.io attack was a supply chain attack that targeted websites that used the popular Polyfill.io JavaScript library. In February 2024, a company called Funnull acquired the Polyfill.io domain and GitHub account. Shortly thereafter, the service began injecting malicious JavaScript code into websites that embedded scripts from cdn.polyfill.io. This code redirected users to malicious sites, including fake Google Analytics domains that further redirected them to illicit sports betting and adult content sites.

In H2 2024, Quad9 blocked more than 570 millions of queries to the domains attributed to the Polyfill.io attack. The largest volume of blocked queries was coming from the United States, followed by France.

Threat Actors Exploiting the CrowdStrike Incident

In July 2024, a faulty update to CrowdStrike's Falcon Sensor security software caused widespread disruption across global IT systems. This incident resulted in millions of Windows computers crashing, severely impacting critical services in various sectors including air travel, banking, and healthcare. After the incident, CrowdStrike Intelligence has observed threat actors exploiting the Falcon Sensor incident. These actors are engaging in various malicious activities, including:

• Phishing emails: Disguised as legitimate support communications from CrowdStrike.
• Impersonation: Posing as CrowdStrike staff during phone calls.
• False research claims: Presenting themselves as independent researchers, falsely linking the technical issue to a cyberattack and offering remediation guidance.
• Malicious scripts: Selling scripts that allegedly automate recovery from the content update issue, likely containing malicious code.

Quad9 blocked domains abused by those Threat Actors. In total, in H2 2024, we observed more than 2.7 billion DNS queries to those domains.

BianLian

BianLian is a ransomware group that targets various industries, including healthcare, education, and government entities, often gaining initial access through vulnerabilities like exploited RDP credentials and leveraging open-source tools for lateral movement and data theft. The group maintains a public blog to intimidate victims and publicize stolen data, further increasing pressure to pay ransoms. In H2 2024, we saw higher volumes of blocked queries to the domains attributed to BianLian ransomware, most of them coming from Germany.

Conclusions

Over the years, it’s become easier and cheaper for malicious actors to attack Internet users. Quad9’s mission is to improve the security and stability of the Internet and reduce users' vulnerability to risk and become more effective in their daily online interactions - even in the face of growing cyber attacks.

By preventing connections to malicious sites, Quad9 eliminates exposure to risks before they are downloaded to computers or a victim can see the fraudulent website. The inability to reach a malicious host means that defenses such as virus protection or user-based detection such as certificate examination are never called into action.

As a DNS provider, Quad9 has the unique opportunity to analyze the volumes and trends of malware campaigns. If you are a security researcher or threat intelligence provider and want to hear more, contact us via our website at: https://quad9.net/support/contact

About Quad9

Quad9, a nonprofit in the US and Switzerland, provides free cybersecurity services to the emerging world via secure and private DNS lookup. Quad9 operates over 245 locations across more than 110 nations, blocking hundreds of millions of malware, phishing, and spyware events daily for millions of end users. Quad9 reduces harm in vulnerable regions, increases privacy against criminal or institutionalized interception of Internet data, and improves performance in under-served areas.

References:

• https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack
• https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/

Stay Connected

Join us on our new accounts:

• https://bsky.app/profile/quad9dns.bsky.social
• https://mastodon.social/@quad9dns