An investigation by cloud computing provider Akamai has found that up to 16% of organisations were actively under threat from "command-and-control" C2 servers that were associated with known botnets and various other malware threats.
The Akamai report found this information by analysing DNS data.
What are Command-and-control or C2 servers?
C2 servers are computers or servers that attackers use to remotely manage and control malware-infected systems, often called “bots” or “zombies”. These servers can issue commands to the compromised systems, instructing them to perform various malicious activities such as stealing data, launching attacks against other systems, or participating in spam campaigns.
Attackers commonly use C2 servers to maintain persistent control over compromised systems and to steal sensitive data. By communicating with the C2 server, the attacker can send new commands, receive stolen data, and maintain an ongoing presence on the victim’s network.
Some of the cyber security risks associated with C2 servers
- Data exfiltration: Attackers can use C2 servers to extract sensitive data from compromised systems and transmit it back to their own infrastructure for further exploitation.
- Malware propagation: C2 servers can distribute malware to other systems, creating a larger botnet that can be used for further attacks.
- Command execution: Attackers can issue commands to the compromised systems, instructing them to perform specific tasks such as launching DDoS attacks or installing additional malware.
- Data destruction: Attackers can use C2 servers to issue commands that delete data on compromised systems, causing significant damage and disruption to organisations.
- Privacy violations: The use of C2 servers can lead to privacy violations and breaches of confidentiality. Attackers can access sensitive information stored on compromised systems.
What exactly did the report expose about DNS Traffic & C2 servers?
Akamai found that 10% to 16% of organisations had Domain Name System (DNS) traffic originating on their network towards these threat actors.
The report also showed that over 9% of devices that generated C2 server traffic, did so to domain names associated with known ransomware threats. Of these, REvil and LockBit were the most common ones.
The key findings from the Akamai report
• Akamai has conducted an investigation of malicious command and control (C2) traffic to gain insight on prevalent threats in corporate and home networks.
• According to the data, between 10% and 16% of organisations have encountered C2 server traffic in their network in any given quarter. The presence of C2 traffic indicates the possibility of an attack in progress or a breach.
• 26% of affected devices have reached out to known initial access broker (IAB) C2 domains, including Emotet and Qakbot-related domains. IABs present a large risk to organisations as their primary role is to perform the initial breach and sell access to ransomware groups and other cybercriminal groups.
• Attackers are abusing network-attached storage devices through QSnatch, thus putting backups and sensitive data at risk of being stolen or compromised.
• 30% of affected organisations are in the manufacturing sector, underscoring the real-world implications of cyberattacks such as supply chain issues and disruptions to everyday living.
• Attacks on home networks are seeking to abuse new attack surfaces. A significant amount of attack traffic in home networks can be correlated with mobile malware and Internet of Things (IoT) botnets.
• Through our analysis, we spotted a burgeoning outbreak of FluBot malware in Europe, Latin America, and Asia. The malware spreads through mobile messages using social engineering techniques, and once installed will attempt to propagate further and steal the victim’s banking credentials.
Akamai provides a range of cloud-based security solutions, including web application firewall (WAF), distributed denial-of-service (DDoS) protection, and bot management. These services help customers protect their online assets from cyber threats and attacks.
What can I do to protect my organisation from the C2 Server malware threat?
To mitigate these risks, you should implement robust cybersecurity measures, including:
- network segmentation
- intrusion detection systems
- regular vulnerability assessments
- maintain up-to-date antivirus and firewall software
- educate your employees on safe computing practices to minimise the risk of malware infection.
Read the Akamai report in full
Help from the National Cyber Security Centre on DNS protection from C2 server threats
The NCSC has produced guidance on the selection and deployment of protective DNS
See also the Protective DNS for public sector organisations