Throughout each quarter final yr, between 10% and 16% of organizations had DNS site visitors originating on their networks in direction of command-and-control (C2) servers related to recognized botnets and varied different malware threats, in accordance with a report from cloud and content material supply community supplier Akamai.
Greater than 1 / 4 of that site visitors went to servers belonging to preliminary entry brokers, attackers who promote entry into company networks to different cybercriminals, the report said. “As we analyzed malicious DNS site visitors of each enterprise and residential customers, we had been in a position to spot a number of outbreaks and campaigns within the course of, such because the unfold of FluBot, an Android-based malware transferring from nation to nation all over the world, in addition to the prevalence of varied cybercriminal teams geared toward enterprises,” Akamai mentioned. “Maybe the very best instance is the numerous presence of C2 site visitors associated to preliminary entry brokers (IABs) that breach company networks and monetize entry by peddling it to others, reminiscent of ransomware as a service (RaaS) teams.”
Akamai operates a big DNS infrastructure for its world CDN and different cloud and safety providers and is ready to observe as much as seven trillion DNS requests per day. Since DNS queries try to resolve the IP handle of a website title, Akamai can map requests that originate from company networks or dwelling customers to recognized malicious domains, together with people who host phishing pages, serve malware, or are used for C2.
Malware may have an effect on a really giant pool of gadgets
In keeping with the information, between 9% and 13% of all gadgets seen by Akamai making DNS requests each quarter, tried to succeed in a malware-serving area. Between 4% and 6% tried to resolve recognized phishing domains and between 0.7% and 1% tried to resolve C2 domains.
The share for C2 domains might sound small at first look in comparison with malware domains however think about we’re speaking a couple of very giant pool of gadgets right here, able to producing 7 trillion DNS requests per day. A request to a malware-hosting area would not essentially translate to a profitable compromise as a result of the malware is perhaps detected and blocked earlier than it executes on the gadget. Nevertheless, a question for a C2 area suggests an lively malware an infection.
Organizations can have 1000’s or tens of 1000’s of gadgets on their networks and one single compromised gadget can result in full community takeovers, as in most ransomware circumstances, on account of attackers using lateral motion strategies to leap between inner programs. When Akamai’s C2 DNS information is seen per group, a couple of in 10 organizations had an lively compromise final yr.
“Primarily based on our DNS information, we noticed that greater than 30% of analyzed organizations with malicious C2 site visitors are within the manufacturing sector,” the Akamai researchers mentioned. “As well as, firms within the enterprise providers (15%), excessive know-how (14%), and commerce (12%) verticals have been impacted. The highest two verticals in our DNS information (manufacturing and enterprise providers) additionally resonate with the highest industries hit by Conti ransomware.”
Botnets account for 44% of malicious site visitors
Akamai broke the C2 site visitors down additional into a number of classes: botnets, preliminary entry brokers (IABs), infostealers, ransomware, distant entry trojans (RATs), and others. Botnets had been the highest class accounting for 44% of the malicious C2 site visitors, not even considering some outstanding botnets like Emotet or Qakbot whose operators are within the enterprise of promoting entry to programs and had been subsequently counted within the IAB class. Nevertheless, most botnets can technically be used to ship further malware payloads and even when their homeowners do not publicly promote this service, some have non-public offers. For instance, the TrickBot botnet had a non-public working relationship with the cybercriminals behind the Ryuk ransomware.
The most important botnet noticed by Akamai in C2 site visitors originating from enterprise environments is QSnatch which depends on a chunk of malware that particularly infects the firmware of outdated QNAP network-attached storage (NAS) gadgets. QSnatch first appeared in 2014 and stays lively so far. In keeping with a CISA advisory, as of mid-2020, there have been over 62,000 contaminated gadgets worldwide. QSnatch blocks safety updates and is used for credential scraping, password logging, distant entry, and information exfiltration.
IABs had been the second largest class in C2 DNS site visitors —the largest threats on this group being Emotet, with 22% of all contaminated gadgets, and Qakbot with 4%. Emotet is likely one of the largest and longest-running botnets used for preliminary entry into company networks by a number of cybercriminal teams. Furthermore, over time, Emotet has been used to deploy different botnets together with TrickBot and Qakbot.
Malware with hyperlinks to famous ransomware gangs
In 2021 regulation enforcement companies from a number of international locations together with the US, the UK, Canada, Germany, and the Netherlands managed to take over the botnet’s command-and-control infrastructure. Nevertheless, the takedown was short-lived, and the botnet is now again with a brand new iteration. Emotet began as a web-based banking trojan however has morphed right into a malware supply platform with a number of modules that additionally give its operators the flexibility to steal emails, launch DDoS assaults, and extra. Emotet additionally had recognized relationships with ransomware gangs, most notably Conti.
Like Emotet, Qakbot is one other botnet that’s getting used to ship further payloads and has working relationships with ransomware gangs, for instance, Black Basta. The malware can be recognized to leverage the Cobalt Strike penetration testing instrument for extra performance and persistence and has information-stealing capabilities.
Though botnets are recognized to ship ransomware, as soon as deployed such applications have their very own C2s which are additionally represented in Akamai’s DNS information. Over 9% of gadgets that generated C2 site visitors did so to domains related to recognized ransomware threats. Of those, REvil and LockBit had been the most typical ones.
“Our latest evaluation of the methodology of contemporary ransomware teams, such because the Conti group, confirmed that refined attackers typically assign operators to work ‘fingers on keyboard’ in an effort to rapidly and effectively progress an assault,” Akamai researchers mentioned. “The power to view and block C2 site visitors could be pivotal to stopping an ongoing assault.”
Infostealers had been the third hottest class by C2 site visitors, accounting for 16% of gadgets noticed by Akamai. As their title suggests, these malware applications are used to steal data that may be invaluable for attackers and additional different assaults, reminiscent of usernames and passwords for varied providers, authentication cookies saved in browsers, and different credentials saved regionally in different purposes. Ramnit, a modular infostealer that will also be used to deploy further malware, was the highest menace seen on this class. Different notable threats seen in C2 site visitors included Cobalt Strike, the Agent Tesla RAT, the Pykspa worm, and the Virut polymorphic virus.
Copyright © 2023 IDG Communications, Inc.
