I want to go back to the "phear the two Kevins!" era. It was sweet.
Unusual communications to these countries should be automatic red flags for IT and security organisations.
.... there is no need to involve China into this!
Level 3 Communications says America is home to more botnet command and control servers, edging out the Ukraine, with Russia only managing third place. Command and control servers, used to maintain vast botnet scourges, are active for about 30 days before being taken down by operators located all over the world or by local …
If you do, good.
Now do they have a legitimate reason for doing so?
If you don't know it why are are you allowing it?
If you don't know what apps are calling out perhaps you should find out.
Curiosity may be the best weapon.
"As a sysadmin should you not *know* what apps are calling outside?"
That's a very 20th-century attitude.
Apparently things are done differently now. The IT Department don't need to *know* anything, they just need to be able to persuade the Board of Directors to pay for someone else to know stuff and make that knowledge available. E.g in this scenario the BoD need to pay for this year's equivalent of an intrusion detection package. Doesn't matter whether it works or not as long as its expensive and produces shiny reports that can be shown to the BoD. Y'know, like the Yanks and their Einstein fail.
"As a sysadmin should you not *know* what apps are calling outside? "
The vast majority of these botnet C&C servers are on *nix boxes. Lots of people still run unprotected Linux servers under the illusion that they are in some way secure, and often don't worry about locking down ports.
In a complementary trend to the way that Windows boxes tend to be commonly targeted for local exploits involving end users, Linux boxes are commonly targeted with remote exploits that don't require end user involvement...this type of attack is also unlikely to be noticed, making such compromised hosts ideal for building your own c&c infrastructure.
Whether or not they are in the US or elsewhere is not half as important as is "who is controlling/governing these botnets".
The NSA playing havoc with the world.
The Mafia etc
The Farc Rebels
The British ( they are a bunch of sneaky bastards) ?
The Mossad or Shin Bet ?
The Illumunati ? ( ooooohhhhhh, I can hear than damned music in the background, I think it was one of those Apple Garageband tunes))
So many possibilities ....so many stories
The really sneaky stuff is probably using blended communications, port knocking, timed and coded TCP+UDP requests, cloaked comms in audio/video streaming. Recognising the standard stuff is a start but we will probably never really know what underlying codes are moving in the era we are looking. Ever pulled those purchase URLs apart? checked them one day to the next? I bet once we began to understand we'd see sigs like "data ready, - in hibernate file from address...".
Sure the botnets are good for obvious things like phishing and credit card numbers but I'd bet a months wages there are other things running on them, cuckoo comms.
Some of the bad guys are going to be bad in more then one field, why worry about credit card numbers when you are provided with a budget by some government back door. It's too simple to box up these things as "funded by and controlled by group Y" when they are platforms, once a platform has been erected you can be sure it will be in demand for plays, lynchings and politics.
Page 6 of that report definitely cites the "United States" as the greatest generator of C2 traffic.
Although on page 7 things become a little bit more confusing
"While nations around the world are represented in the top 10 global offenders list,
the regions generating the highest levels of C2 traffic are Europe and the United
States. An average of 20 percent of the C2s we tracked were based in North America
with a nearly equal amount launching from the Ukraine and Russia combined.
Western Europe1 and the United Kingdom contributed another 12 percent of C2
traffic. Latin America was the source of only 2 percent of the overall C2 traffic."
that the US (or more so a US Co.) was claiming Canada becoming "the" hot bed for hackers. Was absolute BS of course, but the waste of tax money CBC carried the story. And so did CTV. Quite the journalists we have here in Canada, Google'n their stories from BS Americans, lol. CBC is as useful as the CRTC, both should be shutdown and replaced, everyone fired!
P.S. My comment is not to imply "all" Americans are BSers. But the media in Canada sure does suck!
L3 is rather good, actually. We use threat intelligence from them, the government and pretty much the spectrum of organizations that contribute to threat intelligence.
We get intelligence on everything from hash values of known malware, TTP's of threat actors, emerging threat intelligence and traffic pattern values for our IPS.
As for C3 servers in the US and North America in general, one can get a virtual host for anything from $10 - 20 per month that is more than adequate for C3 operations and jump point for exfiltrated data. Other hotspots have similar availability and inexpensive solutions available.
Biting the hand that feeds IT © 1998–2019