Posts tagged ‘Akamai Security’

Five Excellent Security Articles

November 6, 2014 10:31 am


Articles I’m reading include such topics as the mounting cost of social engineering, the Mayhem Botnet’s exploitation of Shellshock, and some tips for better security in the healthcare...

Continue Reading

Akamai Security Podcast: Inside the PLXsert

September 16, 2014 3:36 am


This week, Akamai PLXsert Manager David Fernandez and I discuss the latest attack research from his team. David reviews the fallout from a recent advisory about

Podcast: Tom Leighton on Danny Lewin, Akamai’s Security Goals

September 9, 2014 4:00 am

Last year I launched the Akamai Security Podcast. Episode 1 was an interview with Akamai CEO Tom Leighton, who discussed the legacy of Co-Founder Danny Lewin, Akamai’s role on 9-11-01, and his vision of Akamai as a major player in the security industry. This week being the anniversary of 9-11, it seems appropriate to re-share.

Listen HERE.

Related content:

9-11 Anniversary: Danny Lewin’s Life and Legacy
Internet Security Central To Danny Lewin’s Legacy

Public Compliance Docs: The List So Far (Updated Sept. 4)

September 4, 2014 8:25 am


As previously noted, Akamai InfoSec has been working to make its most sought after compliance documents publicly available. The goal is to make it easier for customers to access the answers they regularly seek, and also to show potential new customers how we operate.

We’re building the foundation in the form of a compliance page on the Akamai Security microsite, and hope to publish up to two fresh public docs a month. What follows is a list of what we’ve done so far.

Linux Systems Exploited for DDoS Attacks

September 3, 2014 7:56 am


Linux users have a new threat to worry about.

According to Akamai’s Prolexic Security Engineering Research Team (PLXsert), the bad guys have discovered a weakness in Linux systems they can exploit to expand their botnets and launch DDoS attacks. PLXsert released an advisory outlining the danger this morning.

  • The full advisory is available HERE.
  • Also read Akamai Security Advocate Dave Lewis’ CSOonline blog post about the threat.

The favored target in this attack is the entertainment industry, though other business sectors are at risk.

In this attack scenario, vulnerable Linux systems are infected with IptabLes and IptabLex malware. Attackers manage to compromise large numbers of Linux systems by exploiting vulnerabilities in Apache Struts, Tomcat and Elasticsearch.

Attackers use the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, then drop the malware into the system. This allows them to hijack those systems, which are then pulled into botnets used to launch DDoS attacks.

Stuart Scholly, senior vice president and general manager of Akamai’s Security Business Unit, calls this a significant development because the Linux operating system is rarely used in DDoS botnets.

“Linux admins need to know about this threat to take action to protect their servers,” he said.

Here are some of the raw details from the advisory:

A post-infection indication is a payload named .IptabLes or. IptabLex located in the /boot directory. These script files run the .IptabLes binary on reboot. The malware also contains a self-updating feature that causes the infected system to contact a remote host to download a file. In the lab environment, an infected system attempted to contact two IP addresses located in Asia.

Command and control centers (C2, CC) for IptabLes and IptabLex are currently located in Asia. Infected systems were initially known to be in Asia; however, more recently many infections were observed on servers hosted in the U.S. and in other regions. In the past, most DDoS bot infections originated from Russia, but now Asia appears to be a significant source of DDoS development.

Patching and hardening Linux servers and antivirus detection can prevent an IptabLes or IptabLex infestation on Linux systems. Meanwhile, PLXsert is providing customers with bash commands to clean infected systems.
PLXsert also shares a YARA rule in the threat advisory to identify the ELF IptabLes payload used in an observed attack campaign.