Akamai announced the availability of the State of the Internet / Security: Carrier Insights Report for Spring 2018, which shows that sharing information is an important factor in helping to defend against cyber threats. The report analyzes data from more than 14 trillion DNS queries collected by Akamai between September 2017 and February 2018 from communications service provider (CSP) networks around the world.
“Siloed understanding of attacks against individual systems isn’t enough for defenders to prepare for today’s complicated threat landscape,” said Yuriy Yuzifovich, Director of Data Science, Threat Intelligence at Akamai. “Communicating with varying platforms is critical when acquiring knowledge across teams, systems and data sets. We believe that the DNS queries that our service provides act as a strategic component to arming security teams with the proper data necessary for that big picture view of the threat landscape.”
Tackling the Mirai Botnet: Collaboration in Action
Collaboration between teams within Akamai played a crucial role in discovering Mirai command and control (C&C) domains to make future Mirai detection more comprehensive. The Akamai Security Intelligence and Response Team (SIRT) has been following Mirai since its inception, using honeypots to detect Mirai communications and identify its C&C servers.
In late January 2018, Akamai’s SIRT and Nominum teams shared a list of over 500 suspicious Mirai C&C domains. The goal of this was to understand whether, if by using DNS data and artificial intelligence, this list of C&C could be augmented, and make future Mirai detection more comprehensive. Through several layers of analysis, the combined Akamai teams were able to augment the Mirai C&C dataset to discover a connection between Mirai botnets and distributors of the Petya ransomware.
This collaborative analysis suggested an evolution of IoT botnets, from a nearly exclusive use case of launching DDoS attacks to more sophisticated activities such as ransomware distribution and crypto-mining. IoT botnets are difficult to detect because there are very few indicators of compromise for most users—and yet, the collaborative research by these teams created the chance to find and block dozens of new C&C domains to control the activity of the botnet.
Javascript Cryptominers: A Shady Business Model
The exponential rise in public consumption of cryptocurrency adoption has been reflected in a sharp, observable increase in the number of crypto-mining malware strains, and the number of devices infected with them.
Akamai observed two distinct business models for large-scale crypto-mining. The first model uses infected devices’ processing power to mine cryptocurrency tokens. The second model uses code embedded into content sites that make devices that visit the site work for the cryptominer. Akamai conducted extensive analysis on this second business model, as it poses a new security challenge for users and website owners alike. After analyzing the cryptominer domains, Akamai was able to estimate the cost, in terms of both computer power and monetary gains, from this activity. An interesting implication of this research shows that cryptomining could become a viable alternative to ad revenue to fund websites.
Changing Threats: Malware and Exploits Repurposed
Cybersecurity is not a static industry. Researchers have observed hackers leveraging old techniques to reuse in today’s current digital landscape. Over the six months that Akamai collected this data, a few prominent malware campaigns and exploits show notable changes in their operating procedure, including:
The Web Proxy Auto-Discovery (WPAD) protocol was discovered in use to expose Windows systems to Man-in-the-Middle attacks between November 24 and December 14, 2017. WPAD is meant to be used on protected networks (i.e. LANs) and leaves computers open to significant attacks when exposed to the Internet.
Malware authors are branching out to the collection of social media logins in addition to financial information. Terdot, a branch of the Zeus botnet, creates a local proxy and enables attackers to perform cyber-espionage and promote fake news in the victim’s browser.
The Lopai botnet is an example of how botnet authors are creating more flexible tools. This mobile malware mainly targets Android devices and uses a modular approach that allows owners to create updates with new capabilities.