Throughout each quarter final 12 months, between 10% and 16% of organizations had DNS site visitors originating on their networks in the direction of command-and-control (C2) servers related to recognized botnets and varied different malware threats, in accordance with a report from cloud and content material supply community supplier Akamai.
Greater than 1 / 4 of that site visitors went to servers belonging to preliminary entry brokers, attackers who promote entry into company networks to different cybercriminals, the report acknowledged. “As we analyzed malicious DNS site visitors of each enterprise and residential customers, we have been in a position to spot a number of outbreaks and campaigns within the course of, such because the unfold of FluBot, an Android-based malware shifting from nation to nation around the globe, in addition to the prevalence of varied cybercriminal teams geared toward enterprises,” Akamai stated. “Maybe the perfect instance is the numerous presence of C2 site visitors associated to preliminary entry brokers (IABs) that breach company networks and monetize entry by peddling it to others, comparable to ransomware as a service (RaaS) teams.”
Akamai operates a big DNS infrastructure for its world CDN and different cloud and safety providers and is ready to observe as much as seven trillion DNS requests per day. Since DNS queries try and resolve the IP tackle of a site title, Akamai can map requests that originate from company networks or residence customers to recognized malicious domains, together with people who host phishing pages, serve malware, or are used for C2.
Malware may have an effect on a really massive pool of gadgets
In accordance with the info, between 9% and 13% of all gadgets seen by Akamai making DNS requests each quarter, tried to achieve a malware-serving area. Between 4% and 6% tried to resolve recognized phishing domains and between 0.7% and 1% tried to resolve C2 domains.
The share for C2 domains might sound small at first look in comparison with malware domains however contemplate we’re speaking a couple of very massive pool of gadgets right here, able to producing 7 trillion DNS requests per day. A request to a malware-hosting area would not essentially translate to a profitable compromise as a result of the malware may be detected and blocked earlier than it executes on the gadget. Nonetheless, a question for a C2 area suggests an lively malware an infection.
Organizations can have 1000’s or tens of 1000’s of gadgets on their networks and one single compromised gadget can result in full community takeovers, as in most ransomware instances, as a result of attackers using lateral motion methods to leap between inside techniques. When Akamai’s C2 DNS information is seen per group, a couple of in 10 organizations had an lively compromise final 12 months.
“Based mostly on our DNS information, we noticed that greater than 30% of analyzed organizations with malicious C2 site visitors are within the manufacturing sector,” the Akamai researchers stated. “As well as, firms within the enterprise providers (15%), excessive expertise (14%), and commerce (12%) verticals have been impacted. The highest two verticals in our DNS information (manufacturing and enterprise providers) additionally resonate with the highest industries hit by Conti ransomware.”
Botnets account for 44% of malicious site visitors
Akamai broke the C2 site visitors down additional into a number of classes: botnets, preliminary entry brokers (IABs), infostealers, ransomware, distant entry trojans (RATs), and others. Botnets have been the highest class accounting for 44% of the malicious C2 site visitors, not even making an allowance for some distinguished botnets like Emotet or Qakbot whose operators are within the enterprise of promoting entry to techniques and have been due to this fact counted within the IAB class. Nonetheless, most botnets can technically be used to ship extra malware payloads and even when their house owners do not publicly promote this service, some have personal offers. For instance, the TrickBot botnet had a personal working relationship with the cybercriminals behind the Ryuk ransomware.
The most important botnet noticed by Akamai in C2 site visitors originating from enterprise environments is QSnatch which depends on a chunk of malware that particularly infects the firmware of outdated QNAP network-attached storage (NAS) gadgets. QSnatch first appeared in 2014 and stays lively thus far. In accordance with a CISA advisory, as of mid-2020, there have been over 62,000 contaminated gadgets worldwide. QSnatch blocks safety updates and is used for credential scraping, password logging, distant entry, and information exfiltration.
IABs have been the second largest class in C2 DNS site visitors —the most important threats on this group being Emotet, with 22% of all contaminated gadgets, and Qakbot with 4%. Emotet is without doubt one of the largest and longest-running botnets used for preliminary entry into company networks by a number of cybercriminal teams. Furthermore, over time, Emotet has been used to deploy different botnets together with TrickBot and Qakbot.
Malware with hyperlinks to famous ransomware gangs
In 2021 regulation enforcement businesses from a number of nations together with the US, the UK, Canada, Germany, and the Netherlands managed to take over the botnet’s command-and-control infrastructure. Nonetheless, the takedown was short-lived, and the botnet is now again with a brand new iteration. Emotet began as a web based banking trojan however has morphed right into a malware supply platform with a number of modules that additionally give its operators the flexibility to steal emails, launch DDoS assaults, and extra. Emotet additionally had recognized relationships with ransomware gangs, most notably Conti.
Like Emotet, Qakbot is one other botnet that’s getting used to ship extra payloads and has working relationships with ransomware gangs, for instance, Black Basta. The malware can be recognized to leverage the Cobalt Strike penetration testing instrument for added performance and persistence and has information-stealing capabilities.
Though botnets are recognized to ship ransomware, as soon as deployed such applications have their very own C2s which might be additionally represented in Akamai’s DNS information. Over 9% of gadgets that generated C2 site visitors did so to domains related to recognized ransomware threats. Of those, REvil and LockBit have been the commonest ones.
“Our latest evaluation of the methodology of contemporary ransomware teams, such because the Conti group, confirmed that subtle attackers typically assign operators to work ‘palms on keyboard’ to be able to rapidly and effectively progress an assault,” Akamai researchers stated. “The power to view and block C2 site visitors may be pivotal to stopping an ongoing assault.”
Infostealers have been the third hottest class by C2 site visitors, accounting for 16% of gadgets noticed by Akamai. As their title suggests, these malware applications are used to steal info that may be useful for attackers and additional different assaults, comparable to usernames and passwords for varied providers, authentication cookies saved in browsers, and different credentials saved regionally in different functions. Ramnit, a modular infostealer that will also be used to deploy extra malware, was the highest menace seen on this class. Different notable threats seen in C2 site visitors included Cobalt Strike, the Agent Tesla RAT, the Pykspa worm, and the Virut polymorphic virus.
Copyright © 2023 IDG Communications, Inc.
