Through each individual quarter very last year, among 10% and 16% of corporations had DNS visitors originating on their networks towards command-and-handle (C2) servers involved with known botnets and various other malware threats, in accordance to a report from cloud and material shipping network provider Akamai.

Additional than a quarter of that targeted visitors went to servers belonging to original entry brokers, attackers who provide obtain into company networks to other cybercriminals, the report stated. “As we analyzed malicious DNS site visitors of the two organization and dwelling buyers, we have been capable to location quite a few outbreaks and campaigns in the procedure, these types of as the unfold of FluBot, an Android-centered malware relocating from state to place all over the entire world, as properly as the prevalence of numerous cybercriminal teams aimed at enterprises,” Akamai mentioned. “Perhaps the finest case in point is the sizeable presence of C2 traffic connected to initial access brokers (IABs) that breach company networks and monetize access by peddling it to other people, this sort of as ransomware as a services (RaaS) groups.”

Akamai operates a substantial DNS infrastructure for its worldwide CDN and other cloud and protection services and is able to observe up to seven trillion DNS requests for each working day. Considering the fact that DNS queries try to take care of the IP tackle of a domain name, Akamai can map requests that originate from company networks or residence people to acknowledged malicious domains, like individuals that host phishing web pages, serve malware, or are utilized for C2.

Malware could have an affect on a extremely significant pool of devices

In accordance to the information, between 9% and 13% of all gadgets observed by Akamai producing DNS requests every quarter, attempted to reach a malware-serving area. In between 4% and 6% tried to resolve regarded phishing domains and in between .7% and 1% experimented with to resolve C2 domains.

The share for C2 domains may possibly feel compact at to start with look as opposed to malware domains but take into account we are talking about a pretty massive pool of equipment listed here, capable of creating 7 trillion DNS requests per working day. A ask for to a malware-internet hosting domain would not necessarily translate to a profitable compromise because the malware could be detected and blocked just before it executes on the product. Having said that, a query for a C2 domain indicates an lively malware infection.

Organizations can have countless numbers or tens of hundreds of units on their networks and 1 one compromised product can lead to total network takeovers, as in most ransomware scenarios, thanks to attackers employing lateral motion approaches to soar involving interior methods. When Akamai’s C2 DNS data is considered per corporation, much more than a single in 10 corporations had an active compromise final calendar year.

“Based on our DNS details, we noticed that additional than 30% of analyzed businesses with malicious C2 site visitors are in the producing sector,” the Akamai scientists reported. “In addition, firms in the enterprise expert services (15%), large know-how (14%), and commerce (12%) verticals have been impacted. The best two verticals in our DNS information (production and organization expert services) also resonate with the prime industries strike by Conti ransomware.”

Botnets account for 44% of destructive traffic

Akamai broke the C2 traffic down more into various groups: botnets, initial accessibility brokers (IABs), infostealers, ransomware, remote obtain trojans (RATs), and other individuals. Botnets had been the top rated class accounting for 44% of the malicious C2 targeted traffic, not even taking into account some notable botnets like Emotet or Qakbot whose operators are in the enterprise of providing obtain to programs and ended up consequently counted in the IAB class. Nevertheless, most botnets can technically be made use of to deliver extra malware payloads and even if their house owners do not publicly provide this service, some have private discounts. For illustration, the TrickBot botnet experienced a private working romantic relationship with the cybercriminals at the rear of the Ryuk ransomware.

The major botnet observed by Akamai in C2 targeted visitors originating from organization environments is QSnatch which depends on a piece of malware that especially infects the firmware of outdated QNAP network-attached storage (NAS) products. QSnatch very first appeared in 2014 and remains active to day. According to a CISA advisory, as of mid-2020, there have been above 62,000 infected units worldwide. QSnatch blocks protection updates and is applied for credential scraping, password logging, remote access, and data exfiltration.

IABs were being the next largest group in C2 DNS website traffic —the largest threats in this group currently being Emotet, with 22% of all contaminated gadgets, and Qakbot with 4%. Emotet is just one of the biggest and longest-operating botnets applied for initial entry into company networks by many cybercriminal groups. Furthermore, around the a long time, Emotet has been used to deploy other botnets including TrickBot and Qakbot.

Malware with links to noted ransomware gangs

In 2021 law enforcement businesses from a number of nations around the world including the US, the Uk, Canada, Germany, and the Netherlands managed to choose around the botnet’s command-and-command infrastructure. Having said that, the takedown was shorter-lived, and the botnet is now back again with a new iteration. Emotet commenced as an on the web banking trojan but has morphed into a malware shipping and delivery system with a number of modules that also give its operators the means to steal e-mail, start DDoS assaults, and additional. Emotet also had recognised associations with ransomware gangs, most notably Conti.

Like Emotet, Qakbot is an additional botnet that is becoming used to deliver supplemental payloads and has operating interactions with ransomware gangs, for example, Black Basta. The malware is also acknowledged to leverage the Cobalt Strike penetration tests software for extra functionality and persistence and has information-thieving abilities.

Whilst botnets are recognized to supply ransomware, the moment deployed such plans have their own C2s that are also represented in Akamai’s DNS info. Above 9% of gadgets that produced C2 traffic did so to area names linked with identified ransomware threats. Of these, REvil and LockBit had been the most common kinds.

“Our new assessment of the methodology of modern ransomware groups, such as the Conti team, confirmed that advanced attackers often assign operators to operate ‘hands on keyboard’ in buy to swiftly and proficiently development an assault,” Akamai researchers explained. “The capacity to see and block C2 site visitors can be pivotal to stopping an ongoing attack.”

Infostealers ended up the 3rd most popular classification by C2 visitors, accounting for 16% of equipment observed by Akamai. As their title indicates, these malware applications are applied to steal data that can be important for attackers and further more other assaults, this sort of as usernames and passwords for various products and services, authentication cookies saved in browsers, and other qualifications stored regionally in other programs. Ramnit, a modular infostealer that can also be made use of to deploy extra malware, was the top rated risk noticed in this category. Other noteworthy threats observed in C2 traffic incorporated Cobalt Strike, the Agent Tesla RAT, the Pykspa worm, and the Virut polymorphic virus.