DNS information reveals one in 10 organizations have malware site visitors on their networks

Throughout each quarter final 12 months, between 10% and 16% of organizations had DNS site visitors originating on their networks in the direction of command-and-control (C2) servers related to recognized botnets and numerous different malware threats, in response to a report from cloud and content delivery network provider Akamai.

Greater than 1 / 4 of that site visitors went to servers belonging to preliminary entry brokers, attackers who promote entry into company networks to different cybercriminals, the report acknowledged. “As we analyzed malicious DNS site visitors of each enterprise and residential customers, we have been capable of spot a number of outbreaks and campaigns within the course of, such because the unfold of FluBot, an Android-based malware transferring from nation to nation all over the world, in addition to the prevalence of assorted cybercriminal teams geared toward enterprises,” Akamai mentioned. “Maybe one of the best instance is the numerous presence of C2 site visitors associated to preliminary entry brokers (IABs) that breach company networks and monetize entry by peddling it to others, similar to ransomware as a service (RaaS) teams.”

Akamai operates a big DNS infrastructure for its world CDN and different cloud and safety companies and is ready to observe as much as seven trillion DNS requests per day. Since DNS queries try to resolve the IP handle of a website title, Akamai can map requests that originate from company networks or dwelling customers to recognized malicious domains, together with those who host phishing pages, serve malware, or are used for C2.

Malware might have an effect on a really giant pool of gadgets

Based on the information, between 9% and 13% of all gadgets seen by Akamai making DNS requests each quarter, tried to achieve a malware-serving area. Between 4% and 6% tried to resolve recognized phishing domains and between 0.7% and 1% tried to resolve C2 domains.

The share for C2 domains might sound small at first look in comparison with malware domains however take into account we’re speaking a couple of very giant pool of gadgets right here, able to producing 7 trillion DNS requests per day. A request to a malware-hosting area does not essentially translate to a profitable compromise as a result of the malware may be detected and blocked earlier than it executes on the system. Nonetheless, a question for a C2 area suggests an lively malware an infection.

Organizations can have 1000’s or tens of 1000’s of gadgets on their networks and one single compromised system can result in full community takeovers, as in most ransomware circumstances, on account of attackers using lateral motion methods to leap between inner techniques. When Akamai’s C2 DNS information is considered per group, a couple of in 10 organizations had an lively compromise final 12 months.

“Based mostly on our DNS information, we noticed that greater than 30% of analyzed organizations with malicious C2 site visitors are within the manufacturing sector,” the Akamai researchers mentioned. “As well as, firms within the enterprise companies (15%), excessive expertise (14%), and commerce (12%) verticals have been impacted. The highest two verticals in our DNS information (manufacturing and enterprise companies) additionally resonate with the highest industries hit by Conti ransomware.”

Botnets account for 44% of malicious site visitors

Akamai broke the C2 site visitors down additional into a number of classes: botnets, preliminary entry brokers (IABs), infostealers, ransomware, distant entry trojans (RATs), and others. Botnets have been the highest class accounting for 44% of the malicious C2 site visitors, not even making an allowance for some distinguished botnets like Emotet or Qakbot whose operators are within the enterprise of promoting entry to techniques and have been due to this fact counted within the IAB class. Nonetheless, most botnets can technically be used to ship extra malware payloads and even when their house owners do not publicly promote this service, some have non-public offers. For instance, the TrickBot botnet had a personal working relationship with the cybercriminals behind the Ryuk ransomware.

The most important botnet noticed by Akamai in C2 site visitors originating from enterprise environments is QSnatch which depends on a chunk of malware that particularly infects the firmware of outdated QNAP network-attached storage (NAS) gadgets. QSnatch first appeared in 2014 and stays lively to this point. Based on a CISA advisory, as of mid-2020, there have been over 62,000 contaminated gadgets worldwide. QSnatch blocks safety updates and is used for credential scraping, password logging, distant entry, and information exfiltration.

IABs have been the second largest class in C2 DNS site visitors —the largest threats on this group being Emotet, with 22% of all contaminated gadgets, and Qakbot with 4%. Emotet is likely one of the largest and longest-running botnets used for preliminary entry into company networks by a number of cybercriminal teams. Furthermore, through the years, Emotet has been used to deploy different botnets together with TrickBot and Qakbot.

Malware with hyperlinks to famous ransomware gangs

In 2021 legislation enforcement companies from a number of international locations together with the US, the UK, Canada, Germany, and the Netherlands managed to take over the botnet’s command-and-control infrastructure. Nonetheless, the takedown was short-lived, and the botnet is now again with a brand new iteration. Emotet began as an internet banking trojan however has morphed right into a malware supply platform with a number of modules that additionally give its operators the power to steal emails, launch DDoS assaults, and extra. Emotet additionally had recognized relationships with ransomware gangs, most notably Conti.

Like Emotet, Qakbot is one other botnet that’s getting used to ship extra payloads and has working relationships with ransomware gangs, for instance, Black Basta. The malware can also be recognized to leverage the Cobalt Strike penetration testing device for added performance and persistence and has information-stealing capabilities.

Though botnets are recognized to ship ransomware, as soon as deployed such applications have their very own C2s which are additionally represented in Akamai’s DNS information. Over 9% of gadgets that generated C2 site visitors did so to domains related to recognized ransomware threats. Of those, REvil and LockBit have been the commonest ones.

“Our latest evaluation of the methodology of recent ransomware teams, such because the Conti group, confirmed that refined attackers usually assign operators to work ‘fingers on keyboard’ with a purpose to shortly and effectively progress an assault,” Akamai researchers mentioned. “The flexibility to view and block C2 site visitors could be pivotal to stopping an ongoing assault.”

Infostealers have been the third hottest class by C2 site visitors, accounting for 16% of gadgets noticed by Akamai. As their title suggests, these malware applications are used to steal info that may be beneficial for attackers and additional different assaults, similar to usernames and passwords for numerous companies, authentication cookies saved in browsers, and different credentials saved regionally in different functions. Ramnit, a modular infostealer that will also be used to deploy extra malware, was the highest menace seen on this class. Different notable threats seen in C2 site visitors included Cobalt Strike, the Agent Tesla RAT, the Pykspa worm, and the Virut polymorphic virus.