One in 10 organizations subject to malware traffic on their networks

Between 10% and 16% of organizations are had malicious command-and-control (C2) traffic on their networks in any given quarter last year.

The finding comes in a new report from cloud services company Akamai, which analyzed up to seven million Domain Name System (DNS) requests a day on systems administered by the company.

The report concludes that, last year, 10% to 16% of organizations experienced potential malicious command-and-control (C2) traffic on their DNS network. Akamai says it has “observed an increasing trend throughout the year”, with 2.3 billion malware strains detected just in the first half of 2022.

Botnets accounted for 44% of all malicious C2 traffic, followed by initial access brokers (IABs) at 26%. An IAB’s primary role is to perform initial breaches and then sell access to other ransomware and cybercriminal groups. Which make them also a large risk to organizations.

“This new report shows the massive range of cybercrime in the modern threat landscape,” said Steve Winterfeld, Advisory CISO at Akamai. “Attackers are unfortunately finding success when they leverage as-a-service hacking tools and are able to combine various tools in a single integrated multi-stage attack. 

Multistage attacks

As hacking tools are getting more advanced, cybercriminals are also finding increased success when they join forces. In the report, Akamai broke the malicious C2 traffic into several categories: botnets (a network of devices which each run one or more bots), initial access brokers (IABs), infostealers, ransomware, remote access toolss (RATs), and others.

A C2 server, which is a main tool that threat actors use to launch and control cyber attacks, is pivotal in the success of these attacks. And as DNS is a critical part of internet infrastructure, Akamai says it’s unsurprisingly that “attackers often choose to leverage this infrastructure to facilitate their attacks – whether it’s a threat that accesses C2 servers to await commands, or a remote code execution that reaches out to a domain in order to download malicious files onto a machine.”

“We also observe ransomware, remote access tools (RATs), and infostealers in the mix — all have a critical role to play in various attack stages. And with tools readily available in the underground to both novice attackers and experienced cybercriminals that allow them to gain initial entry, remain hidden in the network, and further the attack, organizations are more than ever susceptible to cybercrime”, the report says.

Targeting manufacturing organizations

While many cybercriminals chose their targets based on financial outcomes, the report showed that more than 30% of the organizations with malicious C2 traffic on their networks were in the manufacturing sector.

Akamai says this is concerning because of its critical infrastructure, and that “successful attacks on this industry could potentially cause real-world effects, such as supply chain disruptions”.

“Once these home devices become part of a massive botnet, attackers could mobilize these zombie devices to perform myriad cybercriminal activities without the user’s knowledge, like spamming and launching DDoS attacks against organizations.”

Akamai

The data doesn’t explain why the manufacturing sector is heavily hit, however, Akami saw the presence of hackers like IABs in their network, which could indicate that the cybercriminals are gathering intelligence about their potential targets to sell later on. The report also found infostealers to be a threat to the sector, as they harvest browser information for credentials and credit card details, which they then sell.

Other targets were found within companies in the business services (15%), high technology (14%), and commerce (12%) sectors.

Regional differences

North America had the highest percentage of affected devices followed by Europe, the Middle East, and Africa EMEA. The report also showed a burgeoning outbreak of FluBot malware in Europe, the Middle East, and Africa (EMEA), Latin America, and Asia-Pacific and Japan. Which might be explained by the malware’s social engineering tactics, and its use of multiple European languages.

However, QSnatch is reported to be the leading threat across the regions. And the report also showed that different threat groups are targeting different countries.

“Regional threats make a difference as you decide what your vulnerability management and pentest teams should focus on”, Akamai said.

“Successful attacks on this [manufacturing] industry could potentially cause real-world effects, such as supply chain disruptions.”

Akamai

Zombie devices

There are also trends in how cybercriminals are targeting their victims. Some hackers target big enterprises for a potential bigger payout, some focus on where it hurts the most from an infrastructure point of view, and some attack those with low cybersecurity systems.

However, the scenario is different for home networks. Even if they are often not as secure as a corporate environment, attacks on individuals will not pay out as much as corporate ones. That’s why attackers are looking for ways to monetize their ability to more easily infect home devices. One example of that is launching large-scale campaigns that compromise as many devices as possible in so-called ‘spray and pray tactics’ against enterprises.  

“Once these home devices become part of a massive botnet, attackers could mobilize these zombie devices to perform myriad cybercriminal activities without the user’s knowledge, like spamming and launching DDoS attacks against organizations.”

Top 3 botnets in the DNS traffic of home networks

Pykspa has accounted for 367 million DNS queries flagged globally between July 2022 and January 2023. It’s a threat that spreads through Skype by sending malicious links to the affected users’ contacts. It can also create a tweet with a download link to the malware.

FluBot is an Android malware botnet that primary infects Android phones via text messages. It tricks users to click on a malicious link that subsequently downloads malware. It also uploads the affected users’ contact lists and sends the messages links to them. It can overlay a bogus page on banking apps, which can endanger users’ credentials and allow them to be stolen for identity theft or to make fraudulent transactions.

Mirai comes third with 156 million flagged DNS queries. It is known for targeting IoT devices with open telnet ports. This self-propagating worm searches for vulnerable devices that use the default username and password combinations.

Read the report Attack Superhighway, a deep dive on malicious traffic here.