Information Sharing Can Help to Fight Cybercrime

The new State of the Internet / Security: Carrier Insights Report for Spring 2018, by Akamai Technologies Inc, showed that sharing information matters.

The report analyzed data from more than 14 trillion DNS queries collected by Akamai between September 2017 and February 2018 from communications service provider (CSP) networks around the world.

“Siloed understanding of attacks against individual systems isn’t enough for defenders to prepare for today’s complicated threat landscape,” Yuriy Yuzifovich, Director of Data Science, Threat Intelligence, Akamai said in a press release.

"Communicating with varying platforms is critical when acquiring knowledge across teams, systems, and data sets. We believe that the DNS queries that our service provides act as a strategic component to arming security teams with the proper data necessary for that big picture view of the threat landscape," he added.

Collaborating Against the Mirai Botnet

According to the report, the collaboration between teams within Akamai played a crucial role in discovering Mirai command and control (C&C) domains to make future Mirai detection more comprehensive. The Akamai Security Intelligence and Response Team (SIRT) has been following Mirai since its inception, using honeypots to detect Mirai communications and identify its C&C servers.

In late January 2018, Akamai's SIRT and Nominum teams shared a list of over 500 suspicious Mirai C&C domains. The goal of this was to understand whether if by using DNS data and artificial intelligence, this list of C&C could be augmented, and make future Mirai detection more comprehensive. Through several layers of analysis, the combined Akamai teams were able to augment the Mirai C&C dataset to discover a connection between Mirai botnets and distributors of the Petya ransomware.

This collaborative analysis suggested that IoT botnets are evolving, from a nearly exclusive use case of launching DDoS attacks to more sophisticated activities such as ransomware distribution and crypto-mining. IoT botnets are difficult to detect because there are very few indicators of compromise for most users—and yet, the collaborative research by these teams created the chance to find and block dozens of new C&C domains to control the activity of the botnet.

Rooting out JavascriptCryptominers

Collaboration is critical when facing cryptocurrency threat, especially when it comes to crypto-mining.

In its report, Akamai noted two distinct business models. The first model uses infected devices' processing power to mine cryptocurrency tokens. The second model uses code embedded into content sites that make devices that visit the site work for the crypto miners.

Akamai did extensive analysis on the second business model, as the firm saw it posing a new security challenge for users and website owners alike. After analyzing the crypto miners domains, the firm was able to estimate the cost, regarding both computer power and monetary gains, from this activity.

Other Evolving Threats

The report highlighted the changing threat landscape. Researchers observed hackers leveraging old techniques to reuse in today’s current digital landscape. Over the six months that Akamai collected this data, a few prominent malware campaigns and exploits show notable changes in their operating procedure, including:

  • The Web Proxy Auto-Discovery (WPAD) protocol was discovered in use to expose Windows systems to Man-in-the-Middle attacks between November 24 and December 14, 2017. WPAD is meant to be used on protected networks (i.e., LANs) and leaves computers open to significant attacks when exposed to the Internet.
  • Malware authors are branching out to the collection of social media logins in addition to financial information. Terdot, a branch of the Zeus botnet, creates a local proxy and enables attackers to perform cyber-espionage and promote fake news in the victim’s browser.
  • The Lopai botnet is an example of how botnet authors are creating more flexible tools. This mobile malware mainly targets Android devices and uses a modular approach that allows owners to create updates with new capabilities.