Akamai Diversity

Akamai Security Intelligence & Threat Research

Written by the Akamai Threat Research Team

Akamai Threat Research has observed an increase in attacks attempting to exploit a recent Drupal vulnerability (CVE-2018-7600).

Much like recent vulnerabilities in Apache Struts, attackers have attempted to use this exploit for remote command injection attacks and to harness the power of the botnet to join a herd of coin-miners for profit.

While the attacker did not use a large  number of machines for this, he did make  a fair amount of money - almost $11,000 USD so far. It's not enough to quit his job and start a life full of luxury, but considering the time spent vs money received - the attacker will be encouraged to pursue his criminal activities in the future.

It's that time of year - the Summer 2018 State of the Internet / Security: Web Attack report is now live. This new naming schema is just one of the many changes you'll notice if you're a returning reader of quarterly  report, and there are more changes coming as we work to bring you insights and intelligence from our data in as useful and timely a way as possible.

The Web Attack report is evolving into a shorter, leaner report. The Attack Spotlight was released as a stand alone paper. The statistical plots that made up a large part of the report have been published as blog posts (Web Attacks & DDoS By The Numbers). These changes will allow us to publish statistical data in a more timely manner in the future. At the same time, we are moving to more focused reports, published biannually, instead of a larger report published quarterly. 

Summer SOTI - Web Attacks

Continuing Changes

Welcome to the second blog post for the Summer 2018 State of the Internet / Security. If you've read the SOTI / Security report before, much of what you see here should be familiar, though the time frame we're looking at is the six months from November 2017 to April 2018, instead of the last quarter. The numbers are bigger and give us a better idea of the long-term trends we're seeing.

Anonymous #OpIcarus2018

Written by Lisa Beegle


Operation #OpIcarus2018 has been announced and it encompasses several on-going campaigns, including #OpPayBack, #OpIcarus, #DeleteTheElite, and #SosNicaragua. The attack campaign(s) are being driven by actors using Anonymous iconography and ideological motives. These malicious actors have stated their intent to attack various banking institutions between June 21 through 28 2018. Targeted enterprises need to be on heightened alert leading up to these dates, as there are possible actions that will take place in advance of the stated dates.

There is no central organization to Anonymous. When a threat is issued, it can be difficult to determine whether it is the work of an individual or a larger collective. Often, it will be an individual who is attempting to gain support for the chosen cause and then build momentum from other sympathetic individuals. There is evidence that unaffiliated groups, such as organized crime, masquerade as part of the collective to hide their own activities.

Hacktivist groups, such as Anonymous, continue to cause distraction and disruption by facilitating various politically-motivated attack campaigns against governments, corporations, or even against specific individuals. In addition to attacking online, there may be in-person protests or other physical acts of protest. 


Summer SOTI - DDoS by the numbers

Time for a Change

The State of the Internet / Security report has been the home for Akamai's research on DDoS, attack traffic and Internet threats for over three years. While the report has evolved and expanded its scope considerably over that time, the content and how it's presented have only seen moderate changes. But as of the Summer 2018 Web Attack report, you'll see significant changes in how we present this content.  

Earlier this year, Akamai mitigated the largest DDoS attack in its history, fueled by a new reflector, memcached. The attack targeted one of our software clients and broke through the 1 Tbps threshold for the first time. Memcached was developed to act as a distributed memory caching system. Since the protocol uses UDP, an insecure protocol, and carries the potential for tremendous amplification, it has the key traits of a successful reflection-based attack vector. This Attack Spotlight takes a deeper look into the memcached attack vector that redefined the term "largest attack" and is the first part of our State of the Internet Security Summer 2018 report.

Why do we need a Knowledge Base system

Let me start with an obvious statement: the Internet generates a lot of data. Every day we, Akamai's security research teams, see billions of DNS queries, millions of domains, and who knows how many IP addresses. This is an exciting thing, especially if you're a data scientist.

In the past year, we have taken on a "simple task": to map the "dark side of the Internet" - the place where malicious activities are born, die, and constantly change. Since we have a significant volumes of DNS traffic data, we believe that taking on this epic task was feasible.

Seeing all the data in the world does not provide all the value in the world, unless we could tame the data. Data taming means making sense of the data, and that required us to understand the relationships between domains, hosting servers, name servers, CNAMES, AS, and  learn how these relationships change from day to day. With this information, we can, finally identify which of these relationships are used for malicious activities.

To achieve these goals, we created Domain Reputation System (DRS), a huge DNS-based knowledge topology graph. DRS currently includes over a billion nodes and edges,  and this number growing every day. Using this knowledge base, we are able to generate real-time detection of many sorts of threats, including phishing, botnet and malware-related attacks.

The Dark Side of APIs, Part 2

Ryan Barnett, Principal Security Researcher, Akamai

Elad Shuster, Senior Security Researcher, Akamai

During its research into Credential Abuse attack campaigns, Akamai's threat research team conducted an analysis of web logins to gain insights into how widespread the adoption of API-based logins is and whether or not this trend also affects attackers and attack campaigns.  It will come as no surprise that API-based logins are highly targeted by credential abuse attackers for a variety of reason.

Universal Plug and Play (UPnP): What you need to know

Universal Plug and Play (UPnP) is a widely used protocol with a decade-long history of flawed implementations across a wide range of consumer devices. In this paper, we will cover how these aws are still present on devices, how these vulnerabilities are actively being abused, and how a feature/vulnerability set that seems to be mostly forgotten could lead to continued problems in the future with DDoS, account takeover, and malware distribution.

Readers must be aware that this is an active vector currently in use to conceal the traffic of attackers. The location of the origin of the traffic is effectively hidden by using vulnerable devices as proxies. Carriers and ISPs need to be aware of the vulnerability, as end users and customers may appear to be hosting content or the source of attacks when the responsible party is actually behind one or several layers of compromised routers. Law enforcement officers should be advised that, similar to other types of proxies, UPnProxy has the potential to make their jobs harder by adding another layer of obfuscation to traffic from criminal actors.

Read the full research paper

The Dark Side of APIs: Part 1, API Overview

Ryan Barnett, Principal Security Researcher, Akamai

Elad Shuster, Senior Security Researcher, Akamai


API Overview

Application Programming Interfaces (API) are a software design approach which enables software and system developers to integrate with other systems based on a defined set of communication methods. APIs serve as software building blocks and allow for software reuse - essentially allowing fast development of new systems based on existing capabilities.

<< 1 2 3 4 5