Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/23/2017
04:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Russia Top Source Of Nefarious Internet Traffic

Honeypot research from F-Secure shows majority of illicit online activity coming from IP addresses in Russia - also where ransomware is a hot commodity.

A global research honeypot tracked what appeared to be a large amount of reconnaissance traffic coming from Russian IP addresses in the second half of last year: some 60% of the overall volume of traffic came from Russia.

The second-closest region was the Netherlands, with 11% of the overall traffic, followed by the US (9%); Germany (4%); and China (4%), according to data culled from F-Secure's global honeypot network, which provides a snapshot of just where attack attempts, recon, and other nefarious activity is originating – and targeting.

F-Secure found that close to half of the traffic was searching for exposed HTTP and HTTPS ports, most likely for the purpose of seeking out vulnerable software to exploit and spread malware, or compromise the targeted device. These systems then can be used as proxies for other attacks, for instance. Simple Main Transfer Protocol (SMTP) ports were also high on the recon radar screen.

"With Russia being the largest source of this traffic, it’s no surprise that most countries in the world were targeted by Russian IPs, including Russia," F-Secure said in its newly published annual threat report. "The US was the most frequent target of both global and Russian traffic."

Most ransomware activity comes out of Russia as well, noted Mikko Hypponen, chief research officer for F-Secure in a press briefing during the RSA Conference last week in San Francisco. There are more than 100 ransomware gangs, he said, and some operate out of Ukraine.

Russian-speaking cybercrime gangs and individuals account for 80% of ransomware families seen in the last 12 months, Kaspersky Lab data shows. The ransomware attackers are a combination of skilled developers to script kiddies, all cashing in on the ease and relative anonymity of cyber-extortion attacks that now come in easy-to-use-kits. Some are making tens of thousands of dollars a day via ransomware attacks, according to Kaspersky Lab.

Hypponen expects ransomware incidents to get worse. "One of the things making it worse is that it's becoming so decentralized. There are so many different gangs making money on ransomware, and they are competing," he said.

They have sophisticated application interfaces that help them track their campaigns and how successful they were; some even provide customer support to help the victim get bitcoin for ransom payment. He showed one campaign's interface indicating it had a conversion rate of 16% success.

Other security experts last week echoed Hypponen's prediction that ransomware would escalate, and get uglier: not only are the attackers getting more aggressive and strict about payment deadlines, but some attack a victim multiple times, even after he or she pays up. "Traditional blackmailers know if someone pays once, they are probably going to pay again," said James Lyne, global head of security research at Sophos Labs.

Look for ransomware attacks that also steal, damage, or wipe data, so even if a victim pays the ransom, his or her data is still at risk or lost forever.

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:50:38 PM
Re: is it Russia, really?
" if someone became insane Mr. Putin is to blame". I would not think that it is about a person, mainly is about a network of hackers.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:49:24 PM
Re: is it Russia, really?
"US administration became concerned that one day the Russians will become as skilled as the American " I think they are already as skillful as anybody else.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:46:35 PM
Re: is it Russia, really?
"internet has given him a weapon that he can use offensively." As I just said, the same for almost all other countries. Internet became the platform of cyber wars.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:44:31 PM
Re: is it Russia, really?
"Especially when most of the traffic goes via CIA-controlled " The same in many other countries once hit the servers they have a control the traffic is most likely being monitored carefully.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:41:59 PM
Re: is it Russia, really?
"how easiy it is to spoof IP address." That makes sense, IP can easily be spoofed and that is what hackers would be doing in the first place.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:39:58 PM
Lost money and data
Article mentioned "even if a victim pays the ransom, his or her data is still at risk or lost forever." This is the worst case scenario, you lost money and data at the same time.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:38:35 PM
ransomware incidents to get worse
I agree wit this. Ransomware incidents to get worse since some companies really pay for it and that encourages the hackers further.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:37:06 PM
60% vs. 11%
So 60% is Russians and 11% is Netherlands. That is a big difference
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:36:00 PM
Netherlands?
Netherlands is quite surprising for me, I understand and expect from east Europe but Netherlands is really surprising .
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2017 | 7:34:43 PM
Makes sense
It looks like Russian hackers made great progress on hacking if they come to the top of the lists.
Page 1 / 2   >   >>
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25329
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
CVE-2021-25122
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.