Akamai Security Intelligence and Threat Research Blog https://www.akamai.com/blog Akamai Security Intelligence and Threat Research Blog en Akamai Technologies TCP Middlebox Reflection: Coming to a DDoS Near You Over the past week, Akamai Security Researchers have detected and analyzed a series of TCP reflection attacks, peaking at 11 Gbps at 1.5 Mpps, that were leveled against Akamai customers. The attack, amplified with a technique called TCP Middlebox Reflection, abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim machine, creating a powerful DDoS attack. https://www.akamai.com/blog/security/tcp-middlebox-reflection Security Intelligence Response Team https://www.akamai.com/blog/security/tcp-middlebox-reflection Tue, 01 Mar 2022 13:38:00 UTC Akamai Reports Another DoS in Log4j2 (CVE-2021-45105): What You Need to Know The series of vulnerabilities recently discovered in Log4j2 has shocked the internet. As part of our continuing research, on December 17, Hideki Okamoto from Akamai found and responsibly reported an additional denial-of-service (DoS) vulnerability, which was assigned as CVE-2021-45105. https://www.akamai.com/blog/security/akamai-reports-another-dos-inlog4j2 Akamai Threat Research Team https://www.akamai.com/blog/security/akamai-reports-another-dos-inlog4j2 Mon, 20 Dec 2021 18:30:57 UTC Capoae Malware Ramps Up: Uses Multiple Vulnerabilities and Tactics to Spread Recently, there has been a plethora of UPX packed crypto-mining malware written in Golang targeting Linux systems and web applications popping up in the news. The malware?s primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they?ve been infected, these systems are then used to mine cryptocurrency. I?ve named the sample I examined for this post ?Capoae,? based on the code?s output to my terminal. https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread Larry Cashdollar https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread Thu, 16 Sep 2021 13:00:00 UTC Kinsing evolves, adds Windows to attack list The campaign was first seen by the Akamai SIRT on February 16, 2021, and appears to be targeting both Windows and Linux systems. The botnet caught our interest because it has shown to be highly active across a diverse set of geographical regions, including the Americas, Europe, and Asia. https://www.akamai.com/blog/security/Kinsing-evolves-adds-windows-to-attack-list Evyatar Saias https://www.akamai.com/blog/security/Kinsing-evolves-adds-windows-to-attack-list Thu, 16 Sep 2021 13:00:00 UTC UPX Packed Headaches Researching malware has many challenges. One of those challenges is obfuscated code and intentionally corrupted binaries. To address challenges like this, we've written a small tool in C that could fix intentionally corrupted binaries automatically. We also plan to open-source the project so other researchers could use it too, and perhaps improve and expand upon the tool's capabilities as needed. https://www.akamai.com/blog/security/upx-packed-headaches Akamai SIRT https://www.akamai.com/blog/security/upx-packed-headaches Mon, 23 Aug 2021 04:00:00 UTC HTTP/2 Request Smuggling HTTP Request Smuggling (also known as an HTTP Desync Attack) has experienced a resurgence in security research recently, thanks in large part to the outstanding work by security researcher James Kettle. His 2019 Blackhat presentation on HTTP Desync attacks exposed vulnerabilities with different implementations of the HTTP Standards, particularly within proxy servers and Content Delivery Networks (CDNs).These implementation differences with regard to how proxy servers interpret the construction of web requests have led to new request smuggling vulnerabilities. (Direct link to information on new vulnerability). https://www.akamai.com/blog/security/http-2-request-smulggling Ryan Barnett https://www.akamai.com/blog/security/http-2-request-smulggling Thu, 05 Aug 2021 04:00:00 UTC Kaseya Supply Chain Ransomware Attack On July 2, 2021, Kaseya disclosed an active attack against customers using its VSA product, and urged all on-premise customers to switch-off Kaseya VSA. Shortly before this alert, users on Reddit started describing ransomware incidents against managed security providers (MSPs), and the common thread among them was on-premise VSA deployments. In the hours to follow, several indicators of compromise (IOCs) were released, and Akamai was able to observe some of that traffic. A patch for the VSA product was released by Kaseya on July 11. https://www.akamai.com/blog/security/kaseya-supply-chain-ransomware-attack Ryan Barnett https://www.akamai.com/blog/security/kaseya-supply-chain-ransomware-attack Thu, 15 Jul 2021 04:00:00 UTC SOTI Research: Gaming In A Pandemic Welcome to the second edition of SOTI Research. In this edition, we look at the attacks and trends in the gaming industry during 2020. SOTI Research is a condensed, shorter version of our traditional State of the Internet / Security reports, offering focused data points and contextual awareness across a number of threat landscapes. https://www.akamai.com/blog/security/soti-research-gaming-in-a-pandemic Amanda Goedde https://www.akamai.com/blog/security/soti-research-gaming-in-a-pandemic Wed, 23 Jun 2021 04:00:00 UTC NorthSec CTF 2021 Write Up: 'Impurity Assessment Form' This is a write up of a NorthSec 2021 CTF problem I solved with Allan Wirth (@Allan_Wirth) as part of team SaaS which finished in 3rd. It was an extremely creative problem to solve so I wanted to share it here. https://www.akamai.com/blog/security/northsec-ctf-2021-write-up-impurity-assessment-form Samuel Erb https://www.akamai.com/blog/security/northsec-ctf-2021-write-up-impurity-assessment-form Tue, 22 Jun 2021 04:00:00 UTC What A Funny App I Got Here! When you hear the word "malware", the first thing that might come to your mind is a PC or laptop. You think about some weird advertising pop-ups or unrecognized processes running in the background. https://www.akamai.com/blog/security/what-a-funny-app-i-got-here Aleksandra Blaszczyk https://www.akamai.com/blog/security/what-a-funny-app-i-got-here Mon, 21 Jun 2021 04:00:00 UTC ThinkPHP Exploit Actively Exploited in the Wild https://www.akamai.com/blog/security/thinkphp-exploit-actively-exploited-in-the-wild Larry Cashdollar https://www.akamai.com/blog/security/thinkphp-exploit-actively-exploited-in-the-wild Wed, 26 May 2021 04:00:00 UTC Romanian Crypto Mining Infection While examining my honeypot logs and digging through the newly downloaded binaries last week, I noticed a large compressed file. I figured it would be a crypto miner, typically a tar archive and gzip (normally erroneously) compressed. I moved the archive over to my test lab and started examining the contents. https://www.akamai.com/blog/security/romanian-crypto-mining-infection Larry Cashdollar https://www.akamai.com/blog/security/romanian-crypto-mining-infection Mon, 24 May 2021 04:00:00 UTC Now Launching: SOTI?Phishing For Finance It's that time again -- the launch of the second State of the Internet / Security report of 2021. While Akamai has access to some of the largest security data sets in the world, our viewpoint is limited to the traffic that traverses our networks and is seen by our tools. https://www.akamai.com/blog/security/now-launching-soti-phishing-for-finance Amanda Goedde https://www.akamai.com/blog/security/now-launching-soti-phishing-for-finance Wed, 19 May 2021 04:00:00 UTC Partnering With Verizon on the 2021 DBIR By the time you read this post, the 2021 Verizon Data Breach Investigation Report (DBIR) will be published. Akamai has been one of the many partners contributing data to this report for more than half a decade. We greatly value the time, effort, and dedicated data science that goes into providing this level of research to the security community. https://www.akamai.com/blog/security/partnering-with-verizon-on-the-2021-dbir Martin McKeay https://www.akamai.com/blog/security/partnering-with-verizon-on-the-2021-dbir Thu, 13 May 2021 04:00:00 UTC Two Years of Tax Phishing - The Oldest Scam in the Book Tax scams are some of the oldest scams in a criminal's book, and they're highly attractive to criminals for many reasons. https://www.akamai.com/blog/security/two-years-of-tax-phishing-the-oldest-scam-in-the-book Or Katz https://www.akamai.com/blog/security/two-years-of-tax-phishing-the-oldest-scam-in-the-book Wed, 05 May 2021 04:00:00 UTC Tax Season: Criminals Play the Numbers Game Too Criminals love tax season. The stress and urgency surrounding this time of year makes the victim pool highly vulnerable to various types of schemes. https://www.akamai.com/blog/security/tax-season-criminals-play-the-numbers-game-too Steve Ragan https://www.akamai.com/blog/security/tax-season-criminals-play-the-numbers-game-too Tue, 06 Apr 2021 04:00:00 UTC CVE-2020-15915 -- Quest for KACE blind SQLi At Akamai, the Enterprise Security Red Team (ESRT) continuously strives to evaluate the security of both our external and internal services. https://www.akamai.com/blog/security/cve-2020-15915-quest-for-kace-blind-sqli Samuel Erb https://www.akamai.com/blog/security/cve-2020-15915-quest-for-kace-blind-sqli Fri, 26 Mar 2021 04:00:00 UTC Threat Advisory - DCCP for (D)DoS Recent attacks against Akamai customers have leveraged a networking protocol known as protocol 33, or Datagram Congestion Control Protocol (DCCP). https://www.akamai.com/blog/security/threat-advisory-dccp-for-ddos Chad Seaman https://www.akamai.com/blog/security/threat-advisory-dccp-for-ddos Tue, 23 Mar 2021 04:00:00 UTC Another Golang Crypto Miner On the Loose There are many crypto mining malware variants infecting systems on the internet. On Friday, March 4, 2021, I noticed an interesting hit in my honeypot logs. The binary it captured stood out, as it was rather large at 4MB. I immediately thought it would be a crypto miner written in the Go language. I was correct. This one however, has some newer exploits it's using for proliferation. https://www.akamai.com/blog/security/another-golang-crypto-miner-on-the-loose Larry Cashdollar https://www.akamai.com/blog/security/another-golang-crypto-miner-on-the-loose Tue, 16 Mar 2021 04:00:00 UTC Now Launching - SOTI: Research https://www.akamai.com/blog/security/now-launching-soti-research Amanda Goedde https://www.akamai.com/blog/security/now-launching-soti-research Wed, 10 Mar 2021 05:00:00 UTC Sensor Architecture Can Help Keep Us Up and Running: Part 2 Previously, I introduced the field of sensor systems architecture and posed a real world example scenario of the unnecessary resource costs and hazards that can happen when the deployment of sensors isn't carefully thought out. https://www.akamai.com/blog/security/sensor-architecture-can-help-keep-us-up-and-running-part-2 Kristin Nelson-Patel https://www.akamai.com/blog/security/sensor-architecture-can-help-keep-us-up-and-running-part-2 Tue, 09 Mar 2021 05:00:00 UTC Sensor Architecture Can Help Keep Us Up and Running: Part 1 In the constant press of rolling out ever better products and services to our customers, it can be easy-- and often necessary-- to fall into a reactive mode around reliability. https://www.akamai.com/blog/security/sensor-architecture-can-help-keep-us-up-and-running-part-1 Kristin Nelson-Patel https://www.akamai.com/blog/security/sensor-architecture-can-help-keep-us-up-and-running-part-1 Thu, 04 Mar 2021 05:00:00 UTC Better, or More Effective? A colleague asked me to share my thoughts on building a "better team". I confess, I stumbled on the word "better". Better than what exactly? https://www.akamai.com/blog/security/better-or-more-effective Fadi Saba https://www.akamai.com/blog/security/better-or-more-effective Mon, 01 Mar 2021 05:00:00 UTC Optimizing For Performance, One Hire at a Time: Part 3 Having previously decided we need to make a new hire onto our team, part 1 of this series examined how to meet the needs of our team going into the future, instead of just adding surface visible technical skills. https://www.akamai.com/blog/security/optimizing-for-performance-one-hire-at-a-time-part-3 Kathryn Kun https://www.akamai.com/blog/security/optimizing-for-performance-one-hire-at-a-time-part-3 Thu, 25 Feb 2021 05:00:00 UTC Bitcoins, Blockchains, and Botnets A recent piece of malware from a known crypto mining botnet campaign has started leveraging Bitcoin blockchain transactions in order to hide its backup C2 IP address. It's a simple, yet effective, way to defeat takedown attempts. https://www.akamai.com/blog/security/bitcoins--blockchains--and-botnets Evyatar Saias https://www.akamai.com/blog/security/bitcoins--blockchains--and-botnets Tue, 23 Feb 2021 05:00:00 UTC Out of My Depth (Where I Belong) I remember well my first day as a member of Akamai's InfoSec department. The Friday prior, I'd just completed the Akamai Technical Academy, a five-month crash-course in all things tech, and was now, on a cold but sunny Monday morning, joining InfoSec for their weekly staff meeting. Eager to make a good first impression, I took a seat at the large, crowded conference table, opened my notebook, and started to take notes. https://www.akamai.com/blog/security/out-of-my-depth-where-i-belong Guest Blogger https://www.akamai.com/blog/security/out-of-my-depth-where-i-belong Fri, 19 Feb 2021 05:00:00 UTC Massive Campaign Targeting UK Banks Bypassing 2FA On 14 July, 2020, Oliver Hough, a security researcher from Cyjax, published a report centered on a phishing campaign targeting banking customers in the United Kingdom, which evades two-factor authentication (2FA). https://www.akamai.com/blog/security/massive-campaign-targeting-uk-banks-bypassing-2fa Or Katz https://www.akamai.com/blog/security/massive-campaign-targeting-uk-banks-bypassing-2fa Thu, 18 Feb 2021 05:00:00 UTC NHS Vaccine Scams: Criminals Still Targeting COVID-19 Anxiety It's 2021, but the anxiety, fear, uncertainty, and stress caused by the COVID-19 pandemic in 2020 is very much alive today. https://www.akamai.com/blog/security/nhs-vaccine-scams-criminals-still-targeting-covid-19-anxiety Steve Ragan https://www.akamai.com/blog/security/nhs-vaccine-scams-criminals-still-targeting-covid-19-anxiety Thu, 11 Feb 2021 05:00:00 UTC Optimizing for Performance, One Hire at a Time: Part 1 It's a lot of fun to imagine and design the best team. As managers, it's rare that we get to build a team from the ground up and all at once. https://www.akamai.com/blog/security/optimizing-for-performance-one-hire-at-a-time-part-1 Kathryn Kun https://www.akamai.com/blog/security/optimizing-for-performance-one-hire-at-a-time-part-1 Wed, 10 Feb 2021 05:00:00 UTC Command Injection on a D-Link Router During the COVID-19 pandemic, I wanted to extend the local WiFi in my home to reach all the floors. The goal was to have full connectivity from every location in the house. https://www.akamai.com/blog/security/command-injection-on-a-d-link-router Assaf Vilmovski https://www.akamai.com/blog/security/command-injection-on-a-d-link-router Tue, 09 Feb 2021 05:00:00 UTC When Destiny is Knocking on Your Door Again - Data Mining CDN Logs to Refine and Optimize Web Attack Detection A few years ago, I wrote a blog post trying to explain, with humor, why choosing application security as a career path is destiny derived by my parents calling me "Or", and why a personal name that is a conditional word can sometimes be challenging in daily routines, since some attack payloads contain conditional words. https://www.akamai.com/blog/security/when-destiny-is-knocking-on-your-door-again-data-mining-cdn-logs Or Katz https://www.akamai.com/blog/security/when-destiny-is-knocking-on-your-door-again-data-mining-cdn-logs Wed, 27 Jan 2021 05:00:00 UTC Minecraft Players are Targets Even Off the Network When we write the SOTI and talk about attacks against gamers, we spend a good deal of time focusing on network-level events, such as DDoS and credential stuffing. https://www.akamai.com/blog/security/minecraft-players-are-targets-even-off-the-network Steve Ragan https://www.akamai.com/blog/security/minecraft-players-are-targets-even-off-the-network Tue, 26 Jan 2021 05:00:00 UTC What happens when your vulnerability is weaponized for botnet proliferation This post will focus on the weaponization of a few of the exploits only, as Sarit and Ofir documented everything else. https://www.akamai.com/blog/security/what-happens-when-your-vulnerability-is-weaponized-for-botnet-proliferation Larry Cashdollar https://www.akamai.com/blog/security/what-happens-when-your-vulnerability-is-weaponized-for-botnet-proliferation Tue, 26 Jan 2021 05:00:00 UTC Evading Link Scanning Security Services with Passive Fingerprinting By Gal Bitensky, Executive Summary Link scanners are a critical component in multiple classes of security products including email security suites, websites that suggest direct inspection of a suspicious link, and others. Behind the scenes, these services use web clients... https://www.akamai.com/blog/security/evading-link-scanning-security-services-with-passive-fingerprinting Gal Bitensky https://www.akamai.com/blog/security/evading-link-scanning-security-services-with-passive-fingerprinting Wed, 09 Dec 2020 05:00:00 UTC Phishing Summary 2020?Trends and Highlights 2020 was a challenging year for many of us, as the COVID-19 pandemic disrupted life and introduced challenges in almost all elements of living. 2020 was also challenging from a cybersecurity point of view, as nearly the entire workforce moved... https://www.akamai.com/blog/security/phishing-summary-2020-trends-and-highlights Or Katz https://www.akamai.com/blog/security/phishing-summary-2020-trends-and-highlights Tue, 08 Dec 2020 05:00:00 UTC WordPress Malware Setting Up SEO Shops While recently looking over my honeypots, I discovered an infection where a malicious actor added a storefront on top of my existing WordPress installation. For background, this particular honeypot is a full instance of WordPress running on a Docker image.... https://www.akamai.com/blog/security/wordpress-malware-setting-up-seo-shops Larry Cashdollar https://www.akamai.com/blog/security/wordpress-malware-setting-up-seo-shops Fri, 20 Nov 2020 05:00:00 UTC Catch Me if You Can?JavaScript Obfuscation While conducting threat research on phishing evasion techniques, Akamai came across threat actors using obfuscation and encryption, making the malicious page harder to detect. The criminals were using JavaScript to pull this off.... https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation Or Katz https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation Mon, 26 Oct 2020 04:00:00 UTC DDoS Extortion Examination In terms of the Distributed Denial of Service (DDoS) landscape, 2020 was almost boring prior to the beginning of August. The excitement from the record peak Gbps and Mpps seen in early summer had worn off, and we weren't seeing... https://www.akamai.com/blog/security/ddos-extortion-examination Tom Emmons https://www.akamai.com/blog/security/ddos-extortion-examination Fri, 16 Oct 2020 04:00:00 UTC Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail Update 08/24/2020 As mentioned below, the Akamai SIRT has been tracking attacks from the so-called Armada Collective and Fancy Bear actors, who are sending ransom letters to various industry verticals such as finance, travel, and e-commerce. In addition to the... https://www.akamai.com/blog/security/ransom-demands-return-new-ddos-extortion-threats-from-old-actors-targeting-finance-and-retail Akamai SIRT https://www.akamai.com/blog/security/ransom-demands-return-new-ddos-extortion-threats-from-old-actors-targeting-finance-and-retail Mon, 17 Aug 2020 04:00:00 UTC Stealthworker: Golang-based Brute Force Malware Still an Active Threat By: Larry Cashdollar Malware that can target Windows and Linux systems was recently installed on my honeypot. After some investigation, I determined it to be similar to the malware discovered in February of 2019 by Malwarebytes, and later examined by... https://www.akamai.com/blog/security/stealthworker-golang-based-brute-force-malware-still-an-active-threat Larry Cashdollar https://www.akamai.com/blog/security/stealthworker-golang-based-brute-force-malware-still-an-active-threat Wed, 03 Jun 2020 04:00:00 UTC Watch Your Step: The Prevalence of IDN Homograph Attacks The internationalized domain name (IDN) homograph attack is used to form domain names that visually resemble legitimate domain names, albeit, using a different set of characters [1]. For example, the IDN https://www.akamai.com/blog/security/watch-your-step-the-prevalence-of-idn-homograph-attacks Asaf Nadler https://www.akamai.com/blog/security/watch-your-step-the-prevalence-of-idn-homograph-attacks Wed, 27 May 2020 04:00:00 UTC Parts of a Whole: Effect of COVID-19 on US Internet Traffic Introduction In our previous post, The Building Wave of Internet Traffic, we looked at the traffic patterns across Europe and the effect the COVID-19 pandemic has had. We examined traffic in Italy, Poland, and Spain, and demonstrated how we observed... https://www.akamai.com/blog/security/parts-of-a-whole-effect-of-covid-19-on-us-internet-traffic Martin McKeay https://www.akamai.com/blog/security/parts-of-a-whole-effect-of-covid-19-on-us-internet-traffic Wed, 29 Apr 2020 04:00:00 UTC The Building Wave of Internet Traffic The Novel Coronavirus, and the resulting viral respiratory illness caused by it, COVID-19, is changing our world. As much as possible, people around the world are practicing social distancing. This means working remotely for a large number of people, possibly... https://www.akamai.com/blog/security/the-building-wave-of-internet-traffic Martin McKeay https://www.akamai.com/blog/security/the-building-wave-of-internet-traffic Mon, 13 Apr 2020 04:00:00 UTC Phishing Victims From a CDN's Point of View Overview Being a Content Delivery Network (CDN) platform, sometimes you can see fractions of attacks on the wire. In this blog, we will focus on phishing websites that, while not being delivered by the Akamai platform, are referring to or... https://www.akamai.com/blog/security/phishing-victims-from-a-cdns-point-of-view Or Katz https://www.akamai.com/blog/security/phishing-victims-from-a-cdns-point-of-view Tue, 10 Mar 2020 04:00:00 UTC Tackling DGA Based Malware Detection in DNS Traffic Earlier this year, Akamai's Enterprise team tackled the problem of DGA detection in the wild by using Neural Networks, essentially creating a state-of-the-art solution for near online detection of DGA communication.... https://www.akamai.com/blog/security/tackling-dga-based-malware-detection-in-dns-traffic Yael Daihes https://www.akamai.com/blog/security/tackling-dga-based-malware-detection-in-dns-traffic Tue, 18 Feb 2020 05:00:00 UTC Abusing the Service Workers API The Service Worker web API is a powerful new API for web browsers. During our research, we have found several ways attackers can leverage this API to enhance their low-to-medium risk findings into a powerful and meaningful attack. By... https://www.akamai.com/blog/security/abusing-the-service-workers-api Daniel Abeles https://www.akamai.com/blog/security/abusing-the-service-workers-api Mon, 20 Jan 2020 05:00:00 UTC HTTP Cache Poisoning Advisory Summary On January 14, 2020, CERT CC published an advisory warning of the potential use of Content Delivery Networks (CDNs) to cache malicious traffic. Akamai acknowledges this issue and has been aware of similar research in the past. This advisory... https://www.akamai.com/blog/security/http-cache-poisoning-advisory Akamai https://www.akamai.com/blog/security/http-cache-poisoning-advisory Mon, 13 Jan 2020 05:00:00 UTC Fake Cozy Bear Group Making DDoS Extortion Demands A group calling themselves "Cozy Bear" has been emailing various companies with an extortion letter, demanding payment and threatening targeted DDoS attacks if their demands are not met.... https://www.akamai.com/blog/security/fake-cozy-bear-group-making-ddos-extortion-demands Akamai SIRT https://www.akamai.com/blog/security/fake-cozy-bear-group-making-ddos-extortion-demands Fri, 15 Nov 2019 05:00:00 UTC Phishing Detection via Analytic Networks As mentioned in previous Akamai blogs, phishing is an ecosystem of mostly framework developers and buyers who purchase kits to harvest credentials and other sensitive information. Like many framework developers, those focusing on phishing kits want to create an efficient... https://www.akamai.com/blog/security/phishing-detection-via-analytic-networks Tomer Shlomo https://www.akamai.com/blog/security/phishing-detection-via-analytic-networks Wed, 06 Nov 2019 05:00:00 UTC New DDoS Vector Observed in the Wild: WSD Attacks Hitting 35/Gbps Additional research and support provided by Chad Seaman. Introduction Members of Akamai's Security Intelligence Response Team have been investigating a new DDoS vector that leverages a UDP Amplification technique known as WS-Discovery (WSD). The situation surrounding WSD was recently made... https://www.akamai.com/blog/security/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps Jonathan Respeto https://www.akamai.com/blog/security/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps Wed, 18 Sep 2019 04:00:00 UTC XMR Cryptomining Targeting x86/i686 Systems I have been playing close attention to Internet of Things (IoT) malware targeting systems with Telnet enabled, while also collecting samples targeting systems with SSH enabled on port 22. I've collected over 650 samples landing in my honeypot within the... https://www.akamai.com/blog/security/xmr-cryptomining-targeting-x86i686-systems Larry Cashdollar https://www.akamai.com/blog/security/xmr-cryptomining-targeting-x86i686-systems Fri, 30 Aug 2019 04:00:00 UTC HTTP2 Vulnerabilities On Tuesday, August 13th at 10 AM Pacific Time (1700UTC), Netflix publicly disclosed a series of vulnerabilities found by Jonathan Looney that impact many implementations of the HTTP2 protocol. A vulnerability found by Piotr Sikora of Google was also released... https://www.akamai.com/blog/security/http2-vulnerabilities Akamai https://www.akamai.com/blog/security/http2-vulnerabilities Tue, 13 Aug 2019 04:00:00 UTC Criminals Using Targeted Remote File Inclusion Attacks in Phishing Campaigns In June 2019, logs on my personal website recorded markers that were clearly Remote File Inclusion (RFI) vulnerability attempts. The investigation into the attempts uncovered a campaign of targeted RFI attacks that currently are being leveraged to deploy phishing kits.... https://www.akamai.com/blog/security/criminals-using-targeted-remote-file-inclusion-attacks-in-phishing-campaigns Larry Cashdollar https://www.akamai.com/blog/security/criminals-using-targeted-remote-file-inclusion-attacks-in-phishing-campaigns Mon, 29 Jul 2019 04:00:00 UTC Pykspa v2 DGA updated to become selective Additional research and information provided by Asaf Nadler Recent changes to the Pykspa v2 domain generation algorithm (DGA) have made it more selective. Akamai researchers have tracked these changes and believe that part of the reason for selective domain generation... https://www.akamai.com/blog/security/pykspa-v2-dga-updated-to-become-selective Lior Lahav https://www.akamai.com/blog/security/pykspa-v2-dga-updated-to-become-selective Thu, 11 Jul 2019 04:00:00 UTC Anatomy of a SYN-ACK Attack Overview In recent weeks, a series of DDoS attacks were directed at multiple financial institutions. The attacks utilized a seldom seen reflection vector known as TCP SYN-ACK reflection. SYN-ACK reflection isn't new, but it's rarely observed due mostly to its... https://www.akamai.com/blog/security/anatomy-of-a-syn-ack-attack Chad Seaman https://www.akamai.com/blog/security/anatomy-of-a-syn-ack-attack Tue, 02 Jul 2019 04:00:00 UTC SIRT Advisory: Silexbot Bricking Systems With Known Default Login Credentials On June 25th, I discovered a new bot named Silexbot on my honeypot. The bot itself is a blunt tool used to destroy IoT devices. Its author, someone who claims to be a 14-year-old boy from Europe, has made his... https://www.akamai.com/blog/security/sirt-advisory-silexbot-bricking-systems-with-known-default-login-credentials Larry Cashdollar https://www.akamai.com/blog/security/sirt-advisory-silexbot-bricking-systems-with-known-default-login-credentials Wed, 26 Jun 2019 04:00:00 UTC CloudTest Vulnerability (CVE-2019-11011) https://www.akamai.com/blog/security/cloudtest-vulnerability-cve-2019-11011 Akamai InfoSec https://www.akamai.com/blog/security/cloudtest-vulnerability-cve-2019-11011 Sun, 16 Jun 2019 04:00:00 UTC Latest ECHOBOT: 26 Infection Vectors Introduction Since the release of the Mirai source code in October of 2016, there have been hundreds of variants. While publishing my own research, I noticed that Palo Alto Networks was also examining similar samples, and published their findings. Earlier... https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors Larry Cashdollar https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors Thu, 13 Jun 2019 04:00:00 UTC Catch Me If You Can: Evasive and Defensive Techniques in Phishing Phishing is a multifaceted type of attack, aimed at collecting usernames and passwords, personal information, or sometimes both. Yet, these attacks only work so long as the phishing kit itself remains hidden. Phishing is a numbers game and time is... https://www.akamai.com/blog/security/catch-me-if-you-can-evasive-and-defensive-techniques-in-phishing Or Katz https://www.akamai.com/blog/security/catch-me-if-you-can-evasive-and-defensive-techniques-in-phishing Wed, 12 Jun 2019 04:00:00 UTC Identifying Vulnerabilities in Phishing Kits While recently examining hundreds of phishing kits for ongoing research, Akamai discovered something interesting - several of the kits included basic vulnerabilities due to flimsy construction or reliance on outdated open source code. Considering the impact phishing kits have on... https://www.akamai.com/blog/security/identifying-vulnerabilities-in-phishing-kits Larry Cashdollar https://www.akamai.com/blog/security/identifying-vulnerabilities-in-phishing-kits Wed, 05 Jun 2019 04:00:00 UTC Bots Tampering with TLS to Avoid Detection Researchers at Akamai observed attackers using a novel approach for evading detection. This new technique - which we call Cipher Stunting - has become a growing threat, with its roots tracing back to early-2018. By using advanced methods, attackers are... https://www.akamai.com/blog/security/bots-tampering-with-tls-to-avoid-detection Security Intelligence Response Team https://www.akamai.com/blog/security/bots-tampering-with-tls-to-avoid-detection Wed, 15 May 2019 04:00:00 UTC Phishing Attacks Against Facebook / Google via Google Translate When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action. In today's post, we're going to examine a recent phishing attempt against me personally.... https://www.akamai.com/blog/security/phishing-attacks-against-facebook-google-via-google-translate Larry Cashdollar https://www.akamai.com/blog/security/phishing-attacks-against-facebook-google-via-google-translate Tue, 05 Feb 2019 05:00:00 UTC