What’s going on?
According to many researchers in the cyber security community, Advanced Persistent Threats (APTs) have been using strategically aged domains. This tactic being used is not complicated but it does introduce another way of hunting for command and control infrastructure. In the not-so-recent breach involving SolarWinds, the majority of the discovered malicious activities involved aged domains. Another thing to consider is that the IP addresses used in the SolarWinds breach were fine-tuned to correlate with the victim's country. This included specific domains associated to minimize detection.
Aged accounts are being sold as part of business models so a threat actor can technically purchase an aged account today or tomorrow and use it and accomplish the same objective. These domains provide immediate trust, and in some cases access through filtering solutions. A threat actor can purchase a domain that has been categorized and or whitelisted in a filtering solution. This will ensure that the method is reliable and both after access and during phishing activities. Some of the companies seen selling aged accounts are listed below.
This does not mean attackers will not use newly registered domains but organizations may find it less fruitful to hunt for newly registered domains that are actively seen within environments. At least if you are hunting for nation-state actors. Some of the domains are years old if not older. Currently, many organizations which provide threat intelligence have shifted some of their resources to find old domains before they can be used or to disrupt their current use. An example of such a shift in mindset would be Palo Alto Networks. In 2021, Palo Alto reported that they were analyzing tens of thousands of domains each day looking for specific characteristics. Based on one month of research, it was concluded that 3.8% of the domains were confirmed bad, 19% showed indications of ill intent, 2% questionable for work, and the remaining domains were undetermined. he remaining domains were undetermined.
Why wait so long?
Signatures are static and require that someone first report that something is bad. When a domain is flagged it is easy to determine the scope of activity associated with the command and control. When a threat actor waits to use a domain they can evade security systems for longer periods. Domains are also valuable and may be used specifically for certain campaigns or activities. This further reduces the identification of the domain. If a domain is overused the chances are higher than it will be detected. Many security solutions are effective in identifying recently registered domains since they are more likely to present a threat.