China, South Korea, Vietnam, India, and Australia amongst the top five Asia Pacific countries sending out the most malicious internet traffic – although the United States, Russia, and China round out the top three spots globally.
CenturyLink’s 2018 Threat Report analysed an average of 195,000 threats per day that impacted an average of 104 million unique targets.
In Asia Pacific, threats most commonly target China, Japan, Korea, India, and Taiwan. Globally, the United States, China, Brazil, the United Kingdom, and Germany are the top targets.
Botnets are a key focus of this year’s report, as many of the threats are due to botnets. CenturyLink Threat Research Labs head Mike Benjamin explains:
"Botnets are one of the foundational tools bad actors rely on to steal sensitive data and launch DDoS attacks. By analyzing global botnet attack trends and methods, we're better able to anticipate and respond to emerging threats in defense of our own network and those of our customers."
In Asia Pacific, the top five countries by volume of compromised bots include China, India, Japan, Taiwan, and South Korea.
Countries with strong or rapidly growing IT networks and infrastructure are popular targets for cybercriminal activity – China alone plays host to a daily average of more than 454,000 bots.
While Mirai is one of the most well-known botnets, CenturyLink says there is a botnet that is more prevalent, affects more victims and has longer attack durations.
“Mirai and Gafgyt have been tied to DDoS attacks against gaming servers and the botnet owner’s perceived rivals. Operators attempt to drive traffic to the gaming servers they control… They can also operate under a DDoS-for-hire scenario in which they rent their website stressor services to anyone – under the guise that you, as a site owner, want to ‘test’ or stress your website’s connectivity to the internet,” the report says.
The Gafgyt command and control (C2) servers can be active for as many as 117 days, compared to 83 days at most for the Mirai C2 servers.
“The attraction of Mirai and Gafgyt deployments is that they offer bad actors a wide variety of customizable options to carry out their assaults. The determination of the specific attack type used is based on the capability of the software, the wishes of the malicious client, the target and the desired outcome. Each attack command may include a list of target IP addresses, target domains, ports, services and specified durations,” the report says.
CrnturyLink recommends taking a holistic approach to security that is informed by actionable threat intelligence.