Approximately 10-16 percent of organizations have shown evidence of malicious command and control (C2) activities, strongly indicating a network breach within the last year, according to Akamai.
Emotet and QSnatch
Akamai observes nearly seven trillion DNS requests daily and classifies malicious DNS transactions into three main categories: malware, phishing and command and C2. These attacks present a major threat to both enterprises and home users.
They analyzed malicious DNS data and linked attackers to malware such as Emotet, a malware strain that is now one of the most dangerous cybercrime services, and QSnatch, which targets backups or file storage and is the most significant botnet threat in enterprise environments.
According to their data, QSnatch accounted for 36% of infected devices. This malware specifically targets QNAP, a type of NAS device used for backups or file storage by businesses. Although the infection method is still unknown, researchers surmise that QSnatch could infect via exploitation of firmware vulnerabilities or brute force attacks on devices with a default username/password.
Additional findings of the report include:
- 26 percent of affected devices have attempted to reach out to known initial access brokers (IAB) C2 domains, including Emotet-related domains. IABs present a large risk to organizations as their primary role is to initiate the breach and sell access to ransomware groups and other cybercriminal groups.
- Network-attached storage devices are ripe for exploitation as they are less likely to be patched and they hold troves of valuable data. Akamai data shows attackers are abusing these devices through QSnatch.
- Attacks on home networks are seeking to abuse not only traditional devices like computers, but also mobile phones and IoT devices. A significant amount of attack traffic can be correlated with mobile malware and IoT botnets.
“This new report shows the massive range of cybercrime in the modern threat landscape,” said Steve Winterfeld, Advisory CISO at Akamai. “Attackers are unfortunately finding success when they leverage as-a-service hacking tools and are able to combine various tools in a single integrated multi-stage attack.”