Akamai Technologies, a leading cloud delivery platform, announced the availability of the State of the Internet/Security: Carrier Insights Report for Spring 2018, which shows that sharing information is an important factor in helping to defend against cyberthreats.
The report analyses data from more than 14 trillion DNS queries collected by Akamai between September 2017 and February 2018 from communications service provider (CSP) networks around the world.
For more than 19 years, Nominum – acquired by Akamai in 2017 – has leveraged in-depth DNS data to improve overall protection against sophisticated cyberattacks such as distributed denial of service (DDoS), ransomware, Trojans and botnets.
Akamai’s Carrier Insight Report builds upon the Nominum expertise and highlights the effectiveness of DNS-based security that is enriched with data coming from other security layers. This layered security approach involves gathering various security solutions to collectively protect an organisation’s data.
“Siloed understanding of attacks against individual systems isn’t enough for defenders to prepare for today’s complicated threat landscape,” said Yuriy Yuzifovich, Director of Data Science, Threat Intelligence, Akamai.
“Communicating with varying platforms is critical when acquiring knowledge across teams, systems and data sets. We believe that the DNS queries that our service provides act as a strategic component to arming security teams with the proper data necessary for that big picture view of the threat landscape.”
Tackling the Mirai botnet: collaboration in action
Collaboration between teams within Akamai played a crucial role in discovering Mirai command and control (C&C) domains to make future Mirai detection more comprehensive. The Akamai Security Intelligence and Response Team (SIRT) has been following Mirai since its inception, using honeypots to detect Mirai communications and identify its C&C servers.
In late January 2018, Akamai’s SIRT and Nominum teams shared a list of more than 500 suspicious Mirai C&C domains. The goal of this was to understand whether, if by using DNS data and artificial intelligence, this list of C&C could be augmented and make future Mirai detection more comprehensive.
Through several layers of analysis, the combined Akamai teams were able to augment the Mirai C&C dataset to discover a connection between Mirai botnets and distributors of the Petya ransomware.
This collaborative analysis suggested an evolution of IoT botnets, from a nearly exclusive use case of launching DDoS attacks to more sophisticated activities such as ransomware distribution and cryptomining.
IoT botnets are difficult to detect because there are very few indicators of compromise for most users – and yet the collaborative research by these teams created the chance to find and block dozens of new C&C domains to control the activity of the botnet.
Javascript cryptominers: a shady business model
The exponential rise in public consumption of cryptocurrency adoption has been reflected in a sharp, observable increase in the number of cryptomining malware strains and the number of devices infected with them.
Akamai observed two distinct business models for large-scale cryptomining. The first model uses infected devices’ processing power to mine cryptocurrency tokens. The second model uses code embedded into content sites that make devices that visit the site work for the cryptominer.
Akamai conducted extensive analysis on this second business model, as it poses a new security challenge for users and website owners alike. After analysing the cryptominer domains, Akamai was able to estimate the cost, in terms of both computer power and monetary gains, from this activity. An interesting implication of this research shows that cryptomining could become a viable alternative to ad revenue to fund websites.
Changing threats: malware and exploits repurposed
Cybersecurity is not a static industry. Researchers have observed hackers leveraging old techniques to reuse in today’s current digital landscape.
Over the six months that Akamai collected this data, a few prominent malware campaigns and exploits show notable changes in their operating procedure, including:
- The web proxy auto-discovery (WPAD) protocol was discovered in use to expose Windows systems to man-in-the-middle attacks between November 24 and December 14, 2017. WPAD is meant to be used on protected networks (such as LANs) and leaves computers open to significant attacks when exposed to the Internet
- Malware authors are branching out to the collection of social media logins in addition to financial information. Terdot, a branch of the Zeus botnet, creates a local proxy and enables attackers to perform cyber-espionage and promote fake news in the victim’s browser
- The Lopai botnet is an example of how botnet authors are creating more flexible tools. This mobile malware mainly targets Android devices and uses a modular approach that allows owners to create updates with new capabilities
Methodology
Akamai Security Research analyses daily, weekly and quarterly data sets to predict the next moves cybercriminals will take.
The goal is to detect attack signals in the sea of DNS data and validate known attack types while simultaneously detecting new, unknown and unnamed malicious activity.
In addition to using commercial and public data sources, the team analyses 100 billion queries daily from Akamai customers.
Akamai works with more than 130 service providers in more than 40 countries, resolving 1.7 trillion queries daily.
This sample represents approximately 3% of total global DNS traffic generated by consumers and businesses worldwide.
Click below to share this article
