Between 10% and 16% of organizations are had malicious command-and-control (C2) traffic on their networks in any given quarter last year.
By Martina Lindberg - Originally published at GRIP
The finding comes in a report from cloud services company Akamai, which analysed up to seven million Domain Name System (DNS) requests a day on systems administered by the company.
The report concludes that, last year, 10% to 16% of organizations experienced potential malicious command-and-control (C2) traffic on their DNS network. Akamai says it has “observed an increasing trend throughout the year”, with 2.3 billion malware strains detected just in the first half of 2022.
Botnets accounted for 44% of all malicious C2 traffic, followed by initial access brokers (IABs) at 26%. An IAB’s primary role is to perform initial breaches and then sell access to other ransomware and cybercriminal groups. Which make them also a large risk to organizations.
“This new report shows the massive range of cybercrime in the modern threat landscape,” said Steve Winterfeld, Advisory CISO at Akamai. “Attackers are unfortunately finding success when they leverage as-a-service hacking tools and are able to combine various tools in a single integrated multi-stage attack.
Multistage attacks
As hacking tools are getting more advanced, cybercriminals are also finding increased success when they join forces. In the report, Akamai broke the malicious C2 traffic into several categories: botnets (a network of devices which each run one or more bots), initial access brokers (IABs), infostealers, ransomware, remote access toolss (RATs), and others.
A C2 server, which is a main tool that threat actors use to launch and control cyber attacks, is pivotal in the success of these attacks. And as DNS is a critical part of internet infrastructure, Akamai says it’s unsurprisingly that “attackers often choose to leverage this infrastructure to facilitate their attacks – whether it’s a threat that accesses C2 servers to await commands, or a remote code execution that reaches out to a domain in order to download malicious files onto a machine.”
“We also observe ransomware, remote access tools (RATs), and infostealers in the mix — all have a critical role to play in various attack stages. And with tools readily available in the underground to both novice attackers and experienced cybercriminals that allow them to gain initial entry, remain hidden in the network, and further the attack, organizations are more than ever susceptible to cybercrime”, the report says.
Targeting manufacturing organizations
While many cybercriminals chose their targets based on financial outcomes, the report showed that more than 30% of the organizations with malicious C2 traffic on their networks were in the manufacturing sector.
Akamai says this is concerning because of its critical infrastructure, and that “successful attacks on this industry could potentially cause real-world effects, such as supply chain disruptions”.
The data doesn’t explain why the manufacturing sector is heavily hit, however, Akami saw the presence of hackers like IABs in their network, which could indicate that the cybercriminals are gathering intelligence about their potential targets to sell later on. The report also found infostealers to be a threat to the sector, as they harvest browser information for credentials and credit card details, which they then sell.
Other targets were found within companies in the business services (15%), high technology (14%), and commerce (12%) sectors.
Regional differences
North America had the highest percentage of affected devices followed by Europe, the Middle East, and Africa EMEA. The report also showed a burgeoning outbreak of FluBot malware in Europe, the Middle East, and Africa (EMEA), Latin America, and Asia-Pacific and Japan. Which might be explained by the malware’s social engineering tactics, and its use of multiple European languages.
However, QSnatch is reported to be the leading threat across the regions. And the report also showed that different threat groups are targeting different countries.
“Regional threats make a difference as you decide what your vulnerability management and pentest teams should focus on”, Akamai said.
Zombie devices
There are also trends in how cybercriminals are targeting their victims. Some hackers target big enterprises for a potential bigger payout, some focus on where it hurts the most from an infrastructure point of view, and some attack those with low cybersecurity systems.
However, the scenario is different for home networks. Even if they are often not as secure as a corporate environment, attacks on individuals will not pay out as much as corporate ones. That’s why attackers are looking for ways to monetize their ability to more easily infect home devices. One example of that is launching large-scale campaigns that compromise as many devices as possible in so-called ‘spray and pray tactics’ against enterprises.
“Once these home devices become part of a massive botnet, attackers could mobilize these zombie devices to perform myriad cybercriminal activities without the user’s knowledge, like spamming and launching DDoS attacks against organizations.”
Pykspa has accounted for 367 million DNS queries flagged globally between July 2022 and January 2023. It’s a threat that spreads through Skype by sending malicious links to the affected users’ contacts. It can also create a tweet with a download link to the malware.
FluBot is an Android malware botnet that primary infects Android phones via text messages. It tricks users to click on a malicious link that subsequently downloads malware. It also uploads the affected users’ contact lists and sends the messages links to them. It can overlay a bogus page on banking apps, which can endanger users’ credentials and allow them to be stolen for identity theft or to make fraudulent transactions.
Mirai comes third with 156 million flagged DNS queries. It is known for targeting IoT devices with open telnet ports. This self-propagating worm searches for vulnerable devices that use the default username and password combinations.
Read the report Attack Superhighway, a deep dive on malicious traffic here.
For more information on how you can help ensure your customers have the right tools to protect their people and their data, get in touch with CMS and ask about Global Relay.
Grip is Global Relay’s new digital information service on practical compliance and regulatory change. You can enjoy it for free, for a limited time only, here