In the course of every single quarter final calendar year, involving 10% and 16% of organizations had DNS visitors originating on their networks in the direction of command-and-control (C2) servers connected with regarded botnets and several other malware threats, in accordance to a report from cloud and written content shipping community service provider Akamai.
Additional than a quarter of that targeted visitors went to servers belonging to first access brokers, attackers who promote entry into company networks to other cybercriminals, the report said. “As we analyzed malicious DNS visitors of equally enterprise and household end users, we had been equipped to spot various outbreaks and strategies in the approach, this kind of as the unfold of FluBot, an Android-based mostly malware moving from region to place close to the planet, as perfectly as the prevalence of various cybercriminal teams aimed at enterprises,” Akamai said. “Perhaps the greatest illustration is the significant presence of C2 targeted traffic linked to preliminary access brokers (IABs) that breach corporate networks and monetize access by peddling it to many others, this sort of as ransomware as a services (RaaS) groups.”
Akamai operates a large DNS infrastructure for its global CDN and other cloud and stability providers and is in a position to notice up to 7 trillion DNS requests for each working day. Considering the fact that DNS queries try to resolve the IP deal with of a domain identify, Akamai can map requests that originate from company networks or house buyers to known destructive domains, such as all those that host phishing internet pages, provide malware, or are employed for C2.
Malware could have an impact on a extremely massive pool of devices
According to the knowledge, among 9% and 13% of all equipment viewed by Akamai making DNS requests each and every quarter, tried using to achieve a malware-serving area. In between 4% and 6% tried out to take care of acknowledged phishing domains and involving .7% and 1% tried using to resolve C2 domains.
The share for C2 domains might appear to be compact at initial glance as opposed to malware domains but take into consideration we’re talking about a very large pool of products here, capable of making 7 trillion DNS requests per working day. A request to a malware-hosting area isn’t going to always translate to a profitable compromise for the reason that the malware could be detected and blocked right before it executes on the machine. On the other hand, a query for a C2 area suggests an active malware infection.
Corporations can have 1000’s or tens of 1000’s of units on their networks and one particular solitary compromised system can direct to comprehensive network takeovers, as in most ransomware scenarios, thanks to attackers employing lateral movement techniques to bounce amongst inner systems. When Akamai’s C2 DNS facts is considered for every organization, far more than a person in 10 corporations had an active compromise very last calendar year.
“Based on our DNS information, we saw that additional than 30% of analyzed companies with destructive C2 traffic are in the production sector,” the Akamai researchers stated. “In addition, providers in the enterprise expert services (15%), high technological innovation (14%), and commerce (12%) verticals have been impacted. The top rated two verticals in our DNS facts (producing and organization companies) also resonate with the major industries strike by Conti ransomware.”
Botnets account for 44% of malicious targeted visitors
Akamai broke the C2 website traffic down even more into many categories: botnets, initial accessibility brokers (IABs), infostealers, ransomware, remote entry trojans (RATs), and other people. Botnets were being the leading category accounting for 44% of the malicious C2 targeted traffic, not even taking into account some outstanding botnets like Emotet or Qakbot whose operators are in the organization of offering obtain to systems and ended up as a result counted in the IAB class. On the other hand, most botnets can technically be employed to supply extra malware payloads and even if their entrepreneurs do not publicly provide this company, some have non-public bargains. For instance, the TrickBot botnet experienced a non-public doing the job connection with the cybercriminals at the rear of the Ryuk ransomware.
The largest botnet noticed by Akamai in C2 visitors originating from enterprise environments is QSnatch which relies on a piece of malware that particularly infects the firmware of out-of-date QNAP community-connected storage (NAS) gadgets. QSnatch first appeared in 2014 and remains lively to day. In accordance to a CISA advisory, as of mid-2020, there have been around 62,000 infected devices around the globe. QSnatch blocks stability updates and is made use of for credential scraping, password logging, distant entry, and data exfiltration.
IABs were the 2nd biggest category in C2 DNS website traffic —the most significant threats in this team getting Emotet, with 22% of all contaminated units, and Qakbot with 4%. Emotet is just one of the major and longest-running botnets utilized for original accessibility into company networks by numerous cybercriminal teams. Additionally, about the many years, Emotet has been utilised to deploy other botnets which include TrickBot and Qakbot.
Malware with inbound links to mentioned ransomware gangs
In 2021 regulation enforcement organizations from several international locations like the US, the British isles, Canada, Germany, and the Netherlands managed to take in excess of the botnet’s command-and-regulate infrastructure. Having said that, the takedown was limited-lived, and the botnet is now back again with a new iteration. Emotet begun as an on-line banking trojan but has morphed into a malware delivery platform with multiple modules that also give its operators the potential to steal emails, start DDoS assaults, and much more. Emotet also had known relationships with ransomware gangs, most notably Conti.
Like Emotet, Qakbot is a further botnet that is currently being utilized to deliver further payloads and has doing work associations with ransomware gangs, for illustration, Black Basta. The malware is also known to leverage the Cobalt Strike penetration screening device for further operation and persistence and has information-stealing abilities.
Though botnets are identified to provide ransomware, after deployed these types of courses have their possess C2s that are also represented in Akamai’s DNS information. Above 9% of devices that created C2 site visitors did so to domain names affiliated with recognised ransomware threats. Of these, REvil and LockBit were the most popular ones.
“Our the latest evaluation of the methodology of modern day ransomware groups, such as the Conti group, confirmed that sophisticated attackers frequently assign operators to get the job done ‘hands on keyboard’ in buy to rapidly and effectively development an attack,” Akamai researchers explained. “The potential to check out and block C2 traffic can be pivotal to halting an ongoing assault.”
Infostealers ended up the third most preferred category by C2 website traffic, accounting for 16% of units noticed by Akamai. As their identify implies, these malware programs are applied to steal information and facts that can be precious for attackers and more other assaults, this kind of as usernames and passwords for several companies, authentication cookies stored in browsers, and other qualifications saved locally in other applications. Ramnit, a modular infostealer that can also be applied to deploy added malware, was the prime danger noticed in this group. Other noteworthy threats witnessed in C2 website traffic provided Cobalt Strike, the Agent Tesla RAT, the Pykspa worm, and the Virut polymorphic virus.