Akamai Technologies revealed the findings of the State of the Internet / Security: Carrier Insights Report for Spring 2018.
The Internet security report analyzes data from more than 14 trillion DNS queries collected by Akamai between September 2017 and February 2018 from communications service provider (CSP) networks.
“We believe that the DNS queries that our service provides act as a strategic component to arming security teams with the proper data necessary for that big picture view of the threat landscape,” Yuriy Yuzifovich, director of Data Science, Threat Intelligence, Akamai, said.
Akamai’s SIRT and Nominum teams, in January 2018, shared a list of over 500 suspicious Mirai C&C domains. The goal of this was to understand whether, if by using DNS data and artificial intelligence, this list of C&C could be augmented, and make future Mirai detection more comprehensive.
This analysis suggested an evolution of IoT botnets, from a nearly exclusive use case of launching DDoS attacks to more sophisticated activities such as ransomware distribution and crypto-mining.
IoT botnets are difficult to detect because there are very few indicators of compromise for most users—and yet, the collaborative research by these teams created the chance to find and block dozens of new C&C domains to control the activity of the botnet.
Akamai observed two distinct business models for large-scale crypto-mining. The first model uses infected devices’ processing power to mine cryptocurrency tokens. The second model uses code embedded into content sites that make devices that visit the site work for the cryptominer. Akamai conducted analysis on this second business model, as it poses a new security challenge for users and website owners alike.
After analyzing the cryptominer domains, Akamai was able to estimate the cost, in terms of both computer power and monetary gains, from this activity. An interesting implication of this research shows that cryptomining could become a viable alternative to ad revenue to fund websites.
The Web Proxy Auto-Discovery (WPAD) protocol was discovered in use to expose Windows systems to Man-in-the-Middle attacks between November 24 and December 14, 2017. WPAD is meant to be used on protected networks (i.e. LANs) and leaves computers open to significant attacks when exposed to the Internet.
Malware authors are branching out to the collection of social media logins in addition to financial information. Terdot, a branch of the Zeus botnet, creates a local proxy and enables attackers to perform cyber-espionage and promote fake news in the victim’s browser.
The Lopai botnet is an example of how botnet authors are creating more flexible tools. This mobile malware mainly targets Android devices and uses a modular approach that allows owners to create updates with new capabilities.