Akamai Diversity

Akamai Security Intelligence & Threat Research

Akamai InfoSec

Akamai InfoSec

September 5, 2017 12:05 PM

WireX update: UDP attack capabilities

*Akamai would like to acknowledge the research by F5 containing additional information on the capabilities of this malware, released September 2nd. Finding new features The WireX botnet was discovered due to its role in a series of prolonged attacks against several organizations. It was brought to our attention, thanks to researchers at 360.cn, that some WireX samples found in the wild appeared to have additional UDP attack capabilities that weren't

Akamai InfoSec

Akamai InfoSec

August 28, 2017 8:05 AM

The WireX Botnet: An example of cross-organizational ...

Introduction On August 17th, 2017, multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks from a botnet dubbed WireX. The botnet is named for an anagram for one of the delimiter strings in its command and control protocol. The WireX botnet comprises primarily Android devices running malicious applications and is designed to create DDoS traffic. The botnet is sometimes associated with ransom notes to targets.

Larry Cashdollar

Larry Cashdollar

August 2, 2017 6:30 AM

Larry's Cabinet of Web Vulnerability Curiosities

One of my responsibilities as a member of the Akamai Security Intelligence Response Team (SIRT) is to research new web application vulnerabilities. For the last year, I have focused on Wordpress plugin vulnerabilities, and looking for any interesting code tidbits in my box of Wordpress toys. There are almost 50,000 wordpress plugins (at time of publication) and Wordpress is the Content Management System (CMS) of choice for over 30 million

Larry Cashdollar

Larry Cashdollar

July 26, 2017 7:00 AM

Part 1: Reading SPAM for Research

I recently wrote an article for Information Security Magazine where I explained how internet security researchers could use their spam folders as a resource tool. It got me thinking about going into greater detail on what I've found in my inbox. Phishing Sites I noticed an increase in "free gift cards" and other e-commerce type offers in my spam email account around Black Friday the day after Thanksgiving, which

Yohai Einav

Yohai Einav

July 25, 2017 8:01 PM

How to Survive a Post-Infection Apocalypse

Intro Most security experts would agree that the best approach to Cybersecurity is a layered approach; Protect your assets against a variety of attack vectors, in a variety of tactics and in different fronts; secure the endpoint, the network, the cloud, guard your data, in-motion, in-rest, in-transit.

Martin McKeay

Martin McKeay

June 27, 2017 2:28 PM

Dealing with Petya

Akamai is aware of and is tracking the malware threat known as "Petya". Petya is ransomware spread using several methods, including PSexec, Windows Management Instrumentation Command-line (WMIC), and the EternalBlue exploit used by the WannaCry family of ransomware. The malware spreads via port 139 and 445; it probes IP addresses on the local subnet for vulnerable systems.

Hongliang Liu

Hongliang Liu

June 6, 2017 3:36 PM

Reclaiming the hijacked browser

OverviewA browser hijacker is the type of malware which alters your device's browser settings so that you are redirected to web sites that you had no intention of visiting. It is an old, and yet very prevalent problem today.

AkamAI Research

AkamAI Research

June 5, 2017 12:12 PM

Passive HTTP2 Client Fingerprinting - White Paper

HTTP2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred "on the wire" by introducing a full binary protocol, made up of TCP connections, streams and frames, rather than simply being a plain-text protocol. Such a fundamental change between HTTP/1.x to HTTP/2, meant that client side and server side implementations had to incorporate completely new code to support new HTTP2 features - this

Yohai Einav

Yohai Einav

June 1, 2017 2:54 PM

Hoffmeister.br Amplification Attacker: Sparks Inside ...

Looking at the hoffmeister.be data (yes, our previously identified attacker fixed a typo in the TLD) and recent attempts at large-scale amplification attacks, I noticed a surprising absence of spoofed source addresses. My first thought was that the ISP forces the correct IP onto packets entering the network, but that is not common practice (illegal source address packets are dropped if you implement BCP38, SAVI and/or unicast RPF).