On December 29th, the United States Computer Emergency Readiness Team (US-CERT), in coordination with the FBI, released a document outlining recent attacks against US interests that have been attributed to the Russian government. To be clear, Akamai does not comment on the attribution of attacks. Rather we would like to inform our customers of what a reasonable, informed course of action should be regarding this new information.
The Joint Analysis Report (JAR) document released by US-CERT, DHS and the FBI is primarily a guide for IT and IS professionals in the private sector to bolster their defenses. The report highlights the use of URL shorteners in spear-phishing campaigns. The URL shorteners were used to obfuscate malicious links to the attacker's malware. The attackers went so far as to register textually similar domains in an effort to trick the victim into thinking the link they were sent was indeed legitimate. As an example, instead of akamai.com, they would register a domain such as akarnai.com (Notice the 'rn' as opposed to an 'm'). Additionally, attackers used and exploited vulnerability scanners that specifically targeted XSS and SQLi vulnerabilities. Another method that the attackers frequently utilize, when they are awaiting results from their phishing campaigns, is exfiltrating data from the backend database via SQL injection. It is definitely worth scanning for this in your own environment to ensure your systems are not exposed.
Akamai maintains a client reputation database scored by malicious activity originating from IP addresses attacking its platform. Many of the IP addresses listed in the JAR are already present in this database and have been for sometime. Akamai customers can enable client reputation rules for their web properties as an extra layer of protection.
The US-CERT document goes into detail on what can be done to mitigate risk, but here are recommendations. Some of these suggestions can be specifically applied to users of Akamai's platforms:
1. Educate your staff on spearphishing campaigns, staff should not trust links emailed to them and not put any credentials into those external links if prompted.
2. Enable WAF rules in Akamai's Kona product for the top 10 OWASP vulnerabilities, specifically rules for SQLi and XSS.
3. Keep up to date on software and OS patches.
4. Ensure you have client and server locks on your registered company domain names.
5. Enable two-factor authentication where appropriate
6. Enable monitoring for the IP addresses disclosed in the US-CERT document.
7. Enable client reputation rules for high-risk customers.
The Internet is under constant attack from all manner of adversaries on the global stage. These adversaries will use the easiest least complex methods first before escalating to more advanced techniques. If one method works expect that same technique to be used again in the future. A lot of the easiest but most effective methods like phishing can be prevented by proper education and due diligence when following proper security policies.