NCSC Threat Report: DNS

April 4, 2023 | Heimdal Security , Cybersecurity
Jack Poulter

Written by
Jack Poulter

On 24th March 2023, the National Cyber Security Centre (NCSC) issued a threat report based on a recent investigation by Akami. Akami’s investigation uncovered threats in corporate and home networks by looking at malicious command and control (C2) traffic. According to their data, in any given quarter, 10% to 16% of organisations experienced C2 traffic in their network.

Malicious C2 traffic is an important element of a modern cyberattack. The attack server utilises the backdoor access to carry out malicious activities on a victim’s system, such as data exfiltration and malware downloads.

Initial Access Brokers (IABs) pose a significant risk to any organisation because their primary role is to perform an initial breach in order to sell access to criminal and ransomware groups. According to the NCSC threat report, 26% of the devices found to be affected had reached out to a known IAB C2 domain.

The NCSC’s latest report emphasises the ongoing need for organisations to have intelligent cybersecurity. In this article, we will look at the key findings on the threats identified by Domain Name System (DNS) data, what this means for businesses, and how specialists like Heimdal Security are providing unique solutions to combat cybercrime.


Security professionals are having difficulty navigating the modern threat environment that DNS presents. Recent findings have shifted the traditional understanding of DNS from being just an interaction between a user and a website to now understanding that it can contain large amounts of malicious traffic.

DNS data revealed that one out of every ten organisations have malware traffic on their networks, with the manufacturing sector accounting for 30%. The targeting of manufacturing sectors indicates that attackers intend to make a significant impact with broad ramifications, such as disrupting supply chains and everyday life.

Cyber threats

Attackers are constantly devising new ways to avoid detection, and DNS is no exception, with attackers using domain-generating algorithms to remain undetected. Along with the new information about the threats found in DNS data, there has also been a significant attack on the 3CX desktop app. The app was compromised as part of a supply chain attack aimed at the company's customers. More than 600,000 businesses use the system, putting them at risk of malware collecting system information, stealing data and credentials. Windows and macOS have both been targeted, with the Windows Electron client for customers running update 7 being affected.

According to reports, the most common post-exploitation activity observed in this attack to date is the generation of an interactive command shell. In addition, there has been deployment of second stage payloads and, in some cases, hands-on-keyboard activity.

 Why you need to protect DNS

DNS is like an address book of the internet. It vital that businesses have adequate security in place to protect themselves and monitor all traffic passing through the network. Protective DNS forces networks to use a specific DNS resolver, or set of resolvers, that is managed by the protective DNS provider, determining which requests should be blocked 

Protecting DNS with solutions from providers such as Heimdal can prevent malicious domains from being visited in your network, preventing the theft of data and intellectual property. Protective DNS blocks access to malicious websites, malware distribution domains, C2 domains, and domains used in phishing attacks.

How can organisations stay secure?

Brigantia is committed to providing high-quality cybersecurity solutions to the channel and is constantly assessing the risks that businesses face. NCSC reports provide insight into the most recent threats, and this report, in particular, has highlighted the critical need for intelligent cybersecurity.

Heimdal is a longstanding partner of Brigantia because of its unified, unique, and easy-to-use approach to cybersecurity. The MITRE ATT&CK framework is one of Heimdal's cyber defence solutions for responding to threats like C2 traffic. The multi-tiered system is used to detail the inner workings of cyberattacks, covering every base and vulnerability.

Heimdal's specialised solutions are designed to protect businesses from threats such as DNS and 3CX attacks. Their cutting-edge, all-in-one platform is a unified endpoint prevention, detection, and response platform that evolves by tracking cybercriminals' movements. As an evolving solution, it means the platform can predict and prevent future threats, protecting intellectual property. Heimdal's all-around protection against ransomware, insider threats, compromised emails, and other threats is an effective tool for organisations dealing with the threats discussed in this article.

Brigantia provides value-added cybersecurity to the channel; our team of specialists is always available to answer questions and assist partners in offering the best cybersecurity solutions that address evolving cyber issues. Want to find out more? Get in touch:

Recommended reading

Introducing PASM by Heimdal

There’s no such thing as a “good” cyber-attack. Still, some are undoubtedly worse than others. One of the ...

Heimdal's Threat-Hunting and Action Centre

In the ever-evolving landscape of cybersecurity threats, the need for comprehensive solutions that seamlessly ...

Patching for MacOS has arrived from Heimdal!

We are pleased to announce that Heimdal have now released their eagerly anticipated patching module for MacOS ...