Sep 4, 2020 | Whitepapers
The world is not what it used to be, COVID-19 showed us that the dreaded, unexpected, ‘could-never-happen-in-a-hundred-years loss events’ can happen, and that when it does, we are not prepared. Nor was anyone capable of accurately modelling how this will affect the world, how long it will last and how we will rise up to face the challenges.
Many businesses treat Information Security in the same way as they treat these once-in-a-hundred-years loss events. They ignore it, because they believe it will not happen to them. They think they are too small, that they don’t really have anything of value for cybercriminals, or that their outsourced IT-companies are responsible, and have it under control. Sound familiar to you? The reality is that Cybersecurity related events are much more real and can do much more damage than most companies realize, and many companies can never recover from certain Cyber-attacks.
Most business leaders and decision-makers have very vague ideas about Cyber and Information Security and believe they are covered by having firewalls and some very fancy, software that use AI and whatever the latest buzzwords are. The reality is much more complex, Cybersecurity is not something you can buy, it is a culture that is part of everything you do, it sounds complex and hard work, but it is actually very simple.
Cybersecurity risk is just like any other risk you may have in your business, every time a vehicle leaves the premises, there is a risk of theft or an accident (which may not be your fault) or a breakdown, most companies accept these risks, and mitigate them by taking out insurance. The problem with Cybersecurity is that most companies don’t even know their risk.
Do you know your Cyber risk? Do you know what can happen if you are hacked? What will it cost your company if it had to happen?
So can your company survive another lockdown? The answer is probably no! So would you still take the chance? Various publications and organizations that study cyber events have reported an increase in ransomware attacks in 2020, especially since the COVID-19 pandemic. Ransomware can affect any size business, from the likes of Garmin (they paid a reported 10 Million USD in August 2020) to South African Entities like City of Joburg (twice, first in July 2019 and then again in October 2019), Telkom allegedly in June 2020 and then the Life healthcare group, during the height of their preparations for the coming COVID-19 storm in early June 2020.
What do all these companies have in common? They use and rely on IT Systems and data that are exposed to the internet, you would think that they could prevent this from happening, but if it happened to them, who says it won’t happen to you? Ransomware is big business for criminals, and because they effectively lockdown your systems or Data, they know they can ransom the access back to you. This is just as devastating to a business as the real-world lockdown has been.
Besides the loss of your data or access to your systems, and paying a ransom, there are various other costs involved for companies, these costs can range from Hundreds of thousands of Rands to Millions, depending on the size of the company, the severity of the attack and the preparedness of the company to respond to such an event.
Like most risks, the cost-effective solution is to prevent the risk from happening and if you cannot prevent it entirely, to then mitigate the impact should the risk materialize. So, can you answer the following questions?
* Do you know your Cyber risk exposure?
* Are you 100 % confident that your IT team or outsourced IT has the basics in place?
* Should you have an incident, can you recover and can you afford the costs of such a recovery?
If you hesitated in answering any of these questions, you might want to revisit your companies approach to Cybersecurity? You would not drive a car without a dashboard; you would also not leave your business open, at night, without locking any doors? So why would you expose your company in the same way?
Being Cyber Secure is much more than just having a firewall, anti-virus, backs-ups and spam filters on your emails. Cybersecurity is having the right hardware and software, having the right skills to use them correctly, and having a plan for when they don’t work as intended.
ACDS, with vast experience and decades of combined know-how and technical knowledge, can assist you in determining if you are prepared and can survive a second lockdown. We will do a free, high-level security value check (also known as a vulnerability assessment) for your company, it only takes around 4 hours of your time, and then you will know what your company is doing right, and also where to start to ensure that you keep on doing it right.
ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.
Sep 4, 2020 | Blog
When it comes to your business security, what’s the first thing that comes to mind? Most likely the trusty old firewall. In the event of a successful cyberattack, most victimized organisations will raise the question: “Why wasn’t our firewall able to protect us?”
Even though firewalls are an essential component of cybersecurity, alone they can’t stop the flame from rising. Read on to understand why you need a total and comprehensive cybersecurity strategy and solution.
What are the limitations of a firewall?
Unfortunately, security threats are constantly evolving and are designed to circumvent common and basic security tools, such as firewalls. As a result of The Internet of Things (IoT) and increase in remote working as a result of the digital age and the most recent COVID-19 pandemic, nearly any smart device from phones, laptops, printers, tablets and televisions can be connected to the business network – creating an access point for cybercriminals.
Your firewall is pretty good at protecting your office network. After all, that’s what it was designed to do. But, what happens when an employee accesses their email or files from their phone? What about when they connect to the WiFi at a restaurant? Your network security is only as strong as its weakest link. You could have the strongest, most expensive security system on your laptop, but it won’t do you any good if an attacker sets up a fake WiFi hotspot and intercepts all the data.
Firewalls are primarily used to prevent attacks originating from outside the system. What if a threat makes it past the firewall or originates from the network itself?
Firewalls are also extremely limited in their capacity to prevent phishing, scams, ransomware and much more in addition to just typical malware. Some of these rely on tricking a user into taking a desired action like surrendering confidential information or disabling a firewall or antivirus. Unfortunately firewalls can’t stop human errors or fix poor administrative practices and security policies. Firewalls need to be consistently updated. New threats arise every day and if firewalls aren’t updated they may not protect you from the latest threat.
Traditional network security, like firewalls doesn’t extend to the mobile-first, multi-device reality that we live in today. Massive hikes in web traffic, constantly evolving threats and other dangers are not easily detected. Firewalls are a reactive method as you can only protect devices after threats have been detected.
Total cybersecurity for effective defense
Now that multi-devices and IoT are complicating secure networks with added vulnerability, increased endpoint security is a must-have for optimal protection. Total cybersecurity extends to analyse potential cyber threats to an organisation. Threat intelligence assists organisations evaluate the risks associated with rare and common risks. Security needs to be as modernized and sophisticated as potential threats. Real time protection and predictive analytics need to be in place to identify malicious behaviour and respond to emerging threats. A total cybersecurity system needs to proactively detect and neutralize advanced threats that typically evade security systems. Organisations need a first line of defense to threats you can’t see or immediately repel with a firewall. A successful cybersecurity approach has multiple layers of protection across computers, networks, programs and data and accelerates key security operations which are prevention, detection, investigation and remediation.
ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.
Aug 4, 2020 | Blog
In today’s digital world, and with cyber-attacks on the rise, everyone needs protection. Organizations need to protect their data and networks from unauthorized access, attacks and destruction. As with most things in today’s world, there are many options available.
Let’s take a look at cloud backups and managed backups, and some of the pros and cons when comparing the two. The one that works best for your business will help you strategically achieve your business goals while ensuring your operations continue running optimally. No two organizations have the exact same requirements in terms of cybersecurity, which is why it is important to understand the differences so that you can a package that is tailored to your business’ needs. ACDS can help you with this.
Cloud backup
Some of the pros include no need for onsite hardware or capital expenses; storage can be added as needed (this is particularly great for smaller companies where storage is sometimes an issue; you only pay for what you need; backup and restore can be initiated from anywhere – you do not need to be onsite; data can be backed up at more regular intervals. Some of the cons of a cloud-based solution include costs of data recovery that could outweigh the benefits for companies that are not as dependent on uptime and instant recovery; data limits may apply due to storage availability and cost; no internet means no access to any of your information; full data recovery could time-consuming and impact on the running of systems.
Managed backup
As with all solutions, this one too has its pros and its cons. Some of the benefits include having physical control over your backup; keeping confidential data in-house without any third parties having access to such information; accessing your backups and is not dependent on an internet connection; can be more cost-effective for SMEs.
Some of the cons of a solution like this include capital investment in hardware and infrastructure which can be very costly; the need for a server room on your premises along with the necessary security and dedicated IT services to manage such; no uptime or recovery time guarantees; if you do not take the data off-site regularly, you are at risk of data loss during disaster situations on your premises.
When it comes to backup, cloud solutions can be more expensive than in-house options. Cloud solutions being cheaper is a common myth, although, the benefits of being in the cloud can far outweigh the costs for some businesses. If your business is heavily reliant on uptime and instant recovery, or have a workforce that is largely mobile, it may be worth paying more for a cloud solution with an uptime and productivity guarantee. Although, businesses that aren’t as reliant on uptime or mobility may be more suited to an in-house backup. Given the current COVID-19 pandemic we are facing – and the new norm of working at home, a cloud-based solution would likely be far more beneficial to organisations. This would allow the flexibility of backing up and restoring from almost anywhere.
ACDS have launched Cyber Protect Cloud. This is a single service that combines backup, anti-malware, security and management capabilities such as vulnerability assessments, patch management, and more. You get upgraded security, with integrated AI-based defenses that protect you from modern threats, smarter resources so you and your team can focus on your core business. In the chaos we live in, who wouldn’t want a solution like this?
ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.
www.acds.io
info@acds.email
+27 87 073 9370
Jul 8, 2020 | Blog
COVID-19 continues to present problems for employees working remotely. Over the past few weeks, a number of threats have been identified in the banking industry – namely, social engineering, third-party data breaches and ransomware. Across the globe fraud and cyberattacks have soared. IT News Africa says this is of particular concern for South Africa as funds are collected to uphold the economy during lockdown and new grants are implemented to ensure the wellbeing of citizens.
We’ve also seen numerous reports of cybercriminals ramping up their attacks as more and more people started to work from home. Now the Wireless Application Service Providers’ Association (WASPA) has reiterated the need for South Africans to practice good cybersecurity at home.
“With 90 million mobile connections and widespread availability of money transfer and digital banking facilities, SA is tremendously attractive to mobile fraudsters who use malware embedded in downloadable apps to gain access to passwords, user names and other sensitive data,” General Manager of WASPA, Ilonka Badenhorst said.
Exposed Services in Africa
“The way we are preyed upon by criminals has changed. We understand how to protect ourselves from physical crimes, but cybercrime is different – it is nameless, faceless and borderless. We can’t protect ourselves directly because most of us are not IT security professionals, and there is no failsafe system,” says Rohan Isaacs, who heads the technology and privacy team at law firm Herbert Smith Freehills in South Africa.
The global Cyber Exposure Index ranks SA sixth on the list of most-targeted countries for cyberattacks, with the highest concentration of exposed or smaller businesses.
“Most organisations are blissfully unaware of the degree of cybercrime that’s out there. People believe they are well-protected, and they are definitely not – they are using yesterday’s technology to protect themselves against today’s threats,” Brian Pinnock, Mimecast.
A recent study done by ShadowServer also reported an increase in malware infection statistics, which come from data collected from sinkholes, honeypots, network telescopes and other sources, operated by either ourselves or our partners. Example network report types that contain this data include: Botnet Drone Report, HTTP Sinkhole Report, Microsoft Sinkhole Report, Brute Force Attack Report and the Darknet Report.
Based on these datasets, we see in total up to 600,000 malware infected IP addresses per day in Africa. However, it should be noted that observed activity by malware family is biased towards the threats that ShadowServer and its partners are currently sinkholing or otherwise have visibility of (around 400 malware families/variants).
Perhaps unsurprisingly, the amount of infections by unique IPs tend to be higher in absolute numbers in more populous countries and/or countries with better Internet infrastructure including Nigeria and South Africa.
What endpoint protection is required?
As already established, IP addresses are vulnerable and email is the single biggest attack vector for cybercrime, accounting for about 90% of the total cyberattacks, but how do we determine what endpoint protection is required to keep our devices protected at all times?
Antivirus software is no longer viable as it works on a detect and respond basis which is proving to be more inadequate to protect more common cyberattacks. We have moved into a modern time and technology to rather prevent than only detect as this can save a company a lot of time and money. But you may still ask yourself is this even possible?
Here are 8 key security considerations(5) for protecting remote workers as many security and IT teams suddenly have to support and protect employees who must work remotely so make sure these areas are covered too.
The endpoint protection you need
Cybersecurity Resilience Services cover all avenues of potential breaches through the combined efforts of key InfoSec principles and the deployment of rapid detection and response systems. Professional teams of engineers and analysts go through rigorous training programmes, developed by and for the military on real world scenarios and situations. They are trained to analyze, understand and recognize patterns presented by cybercriminals, and it is their responsibility to identify a threat before it happens with their extensive knowledge and understanding of cyber warfare and the determination to intercept a cyber-attack before it takes place.
As most cybersecurity firms base their defenses on the assumption that all attacks will occur from an endpoint or human vulnerability, ACDS’s intercept product knows that sophisticated cybercriminals can enter your network through other avenues linked directly to your perimeter or different network components, skipping endpoints altogether. Intercept covers all aspects of your endpoint, perimeter and network through a variety of tools to detect and defeat any unauthorized entry with speed and accuracy, to not only detect but protect!
ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.
Jun 17, 2020 | Blog
Here at The Shadowserver Foundation, we like to regularly drill down into our datasets to provide our global partners with a wider and deeper insight into our scan and threat visibility for their regions. This insight can then be used to better drive our outreach activities. Most importantly, it can hopefully allow National CSIRTs in the region, as well as numerous other authorities/partners and private enterprises, to enhance their incident response coordination and share information from our public benefit victim remediation network reports with local communities in a more effective manner. There is also a significant, direct benefit to us: through feedback and collaboration with our report recipients, we get to see how useful our reports are at ground level and gain a better understanding of the local challenges faced in combating Internet security threats. In the long run, this allows us to improve our public services to the Internet defender community.
This blog is the first in a series in which we will take a look at different world regions in order to demonstrate what taking a more holistic view of our data can reveal – starting with the African continent.
Over the past few years, we have taken a particular interest in Africa as we seek to increase our reporting services, especially to the continent’s National CERT/CSIRTs and ISP communities. In order to look at the African threat landscape and to achieve the above objectives, we have partnered with our good friends at AfricaCERT. In doing so, we open up the opportunity to engage with multiple nations and ensure that these countries make the best possible use of our free reporting services. We are also happy to attend training events to share our understanding and insights with the community as a whole, once the global COVID-19 situation allows!
Key findings
In order to paint the current threat picture for Africa, we collated various IPv4-based datasets held within our repository, including an analysis of malware infections (primarily through sinkhole data); exposed services (some of which may be vulnerable) discovered by our daily scanning; amplification DDoS attacks (obtained from honeypots); as well as reputation IP blacklists.
MALWARE INFECTIONS IN AFRICA
Our malware infection statistics come from data collected from sinkholes, honeypots, network telescopes and other sources, operated by either ourselves or our partners. Example network report types that contain this data include: Botnet Drone Report, HTTP Sinkhole Report, Microsoft Sinkhole Report, Brute Force Attack Report and the Darknet Report.
Based on these datasets, we see in total up to 600,000 malware infected IP addresses per day in Africa. However, it should be noted that observed activity by malware family is biased towards the threats that Shadowserver and its partners are currently sinkholing or otherwise have visibility of (around 400 malware families/variants).
Absolute number of malware infections per day by counted daily IP addresses in Africa – March/April 2020
The graph above shows the absolute numbers of infections seen over the past month. Different colors represent different countries – for ease of understanding we have only labelled “Egypt” and “Algeria” above (as the most infected in absolute numbers), with the rest of the countries grouped into “Other African States”.
Top 20 Most Malware Infected Countries in Africa by Counted Daily IP addresses – 16th April 2020
Perhaps unsurprisingly, the amount of infections by unique IPs tend to be higher in absolute numbers in more populous countries and/or countries with better Internet infrastructure. In Africa, we see that, currently, most malware infections are in North African countries (such as Egypt, Algeria and Morocco). South of the Sahara, the countries with the greatest number of infections include Nigeria and South Africa.
Top 20 Threats Seen in Africa by Daily Unique IP addresses – 16th April 2020
Top infections within the scope of our visibility include very well known and current Crimeware-As-A-Service and botnet infrastructures such as Andromeda (which was taken down as part of the international Avalanche operation) and Mirai. Instances of infection with both of these malware strains were observed across the whole continent, which is consistent with global trends. The recently disrupted Necurs spam botnet also features in the Top 10. An Illustration of the top threats seen per African country for a given day (16th April 2020) is given below.
Northern Africa: Top Threats Seen Per Country (where top is understood as most unique IP addresses seen daily) – 16th April 2020
Southern Africa: Top Threats Seen Per Country (where top is understood as most unique IP addresses seen daily) – 16th April 2020
Relative Ratio of Avalanche Andromeda Malware Distribution in Africa – 16th April 2020
Relative Ratio of Necurs Malware Distribution in Africa – 16th April 2020
Relative Ratio of Mirai Malware Distribution in Africa – 16th April 2020
However, what makes Africa stand out in comparison to other regions is the relatively high prevalence of Android threats vs other Windows x86 infections.
We see Android trojan malware infections, such as android.backdoor.prizmes, ghost-push and android.iop, in quite substantial volumes.
Relative Ratio of Android Prizmes Malware Distribution in Africa – 16th April 2020
Like virtually everywhere else in the world, devices infected with legacy malware, for example Virut, Conficker and Lethic, continue to be observed, which indicates that multiple African victims have been suffering from long-term infections.
EXPOSED SERVICES IN AFRICA
Aside from collecting data about infected machines, for example, via sinkholing, we also scan the entire IPv4 Internet on 48 services/protocols each day in order to find exposed services (i.e. services that can be accessed externally). This does not mean that these services are necessarily vulnerable to attack. Our scans are, rather, a combination of searching for accessible services, identification of misconfigurations or specific vulnerabilities, finding services that can be abused or misused in some way (for example for amplification scans), detecting (but not exploiting) backdoors, etc. Our goal is to alert network defenders to the fact that services are exposed or abusable in some way and could be used to harm either their own networks, or those of the wider public Internet. We do not generate reports from all of our scans, as in some cases, we do not think that having a service exposed immediately signals danger – so, for example, we refrain from reporting on SSH servers listening on TCP port 22. We generate 43 different types of reports based on our daily IPv4 scans out of 77 reports in total.
Our scan statistics for Africa total 1.4 million IP addresses daily. A range of IPv4 devices are revealed each day with multiple services exposed externally, which could therefore potentially be vulnerable to cyber crime exploitation.
Absolute number of Exposed Services per day by counted daily IP addresses in Africa – March/April 2020
The graph above shows the number of exposed services seen over the last month. Different colors represent different countries – for ease of understanding we have only labelled “South Africa”, “Tunisia”, “Egypt” and “Morocco” above (as the most exposed in absolute numbers), with the rest of the countries grouped into “Others”.
Top Exposed Services Per Country without SSL and SSH services (where top is
understood as most daily unique IP addresses seen) –
16th April 2020
Top Exposed Services Per Country without SSL and SSH services (where top is
understood as most daily unique IP addresses seen) –
16th April 2020
Our scan statistics which include also general population scans (see below) show that the services most exposed by unique IP addresses in Africa include CWMP (port 7547/TCP and 30005/TCP), SSL (port 443/TCP) and SSH (port 22/TCP). As we explain below, this does not mean these are all vulnerable!
CWMP (CPE WAN Management Protocol – a protocol used by ISPs to auto-configure their customer-premises equipment devices, such as DSL routers and cable modems) has had flaws in the past that have been exploited by IoT malware (such as Mirai Botnet #14 and a TR-069 zeroday vulnerability). There is no reason to have CWMP services exposed publicly to non-trusted, potentially hostile IP addresses.
SSL – number 2 on our list – is the name tag that we apply to all HTTPS services exposed on port 443. While most of these are, of course, not vulnerable by default, and their exposure is usually necessary for business reasons, the statistic does give an overview of web-enabled services in Africa. In general, the more advanced the Internet infrastructure, the greater the number of enabled Web services.
There is nothing inherently wrong with having SSH enabled and exposing the service publicly on TCP port 22. Nevertheless, misconfigurations in SSH, or the use of default or weak passwords, could lead to the compromise of devices (which could include servers, routers or IoT devices). Indeed, password brute-forcing attacks against SSH are very common, as they also are for telnet. Both services are regularly targeted by IoT malware. Unlike SSH, there is usually no good reason to have non-encrypted telnet services exposed publicly.
A number of UDP-based services that can be exploited for amplification DDoS attacks , such as DNS or NTP (see our NTP monitor and NTP version reports) were also found to be prominent.
Top 20 Exposed Services Seen in Africa by daily unique IP addresses – 16th April 2020
In general, we observed that countries with greater quantities of IPv4 space tended to harbor more infections and to have a greater number of exposed/accessible services. This trend is much the same throughout the entire world, and is not unique to Africa.
Top 20 Countries in Africa with Exposed Services by counted daily IP addresses – 16th April 2020
To provide some further insight into the above distribution by country, we took the top 3 scan results (without SSL and SSH) and mapped them to specific countries in Africa.
Top 3 Open or Vulnerable Services Seen By Country
In this analysis, we focus on the Top 3 services whose exposure we consider problematic – that is, these are unnecessarily open or vulnerable to abuse. For this reason, we skip SSL and SSH, which commonly must be exposed as is also often the case with FTP.
CWMP
Top 10 Countries in Africa with CWMP exposure
Clearly, Tunisia currently has the greatest number of accessible CWMP servers. As already mentioned, this can unnecessarily provide an attack vector for malicious actors should a vulnerability be found in CWMP server implementations.
(Open) DNS
Top 10 Countries in Africa with (abusable) Open DNS exposure
Morocco, South Africa and Tunisia have the greatest quantity of exposed open DNS servers. These services can be abused for amplification DDoS attacks. It is important to fix the configuration of these services if possible. More information on amplification DDoS attacks can be found in the paper “Amplification Hell: Abusing Network Protocols for DDoS” by Christian Rossow and on our open resolver scan page.
Telnet
Top 10 Countries in Africa with telnet service exposure
South Africa has the greatest quantity of exposed telnet services, with larger amounts seen also in Kenya and Egypt. Using telnet is a dangerous security practice, as the traffic can be sniffed and credentials along with all the traffic content exposed. Additionally, the telnet service is very often the target of brute force attacks carried out by various variants of malware. It is likely most of these services are actually running on home routers or other IoT devices. If remote access is necessary, a properly secured SSH service should be configured instead.
AMPLIFICATION DDOS OVERVIEW IN AFRICA
Together with our partners, such as CISPA, we monitor amplification DDoS attacks across the world using honeypots, see for example, our joint participation in the EU H2020 SISSDEN project. These attacks primarily exploit UDP-based services – including DNS and NTP services that have been highlighted in the discussion of our scan datasets above.
We found that these types of attacks are currently, reasonably uncommon against African infrastructure compared to the rest of the world. This does not mean that such attacks do not happen. When they do occur, they can have devastating effects on the target infrastructure, potentially even felt at a country level (as was the case, for example, in the infamous Mirai Botnet #14 attacks that affected Liberia in 2016/2017).
Our statistics currently show roughly 20 to 60 IPv4 devices being targeted by amplification DDoS attacks in Africa per day.
Amplification DDoS Targets in Africa in March 2020 (Unique IP per day)
The highest number of attacks in a single day in March 2020 was seen on the 27th of March – 54 IP addresses were targeted, with most being located in Morocco.
Country breakdown of DDoS amplification attack targets on March 27th 2020
AFRICAN IP ADDRESSES ON PUBLIC BLACKLISTS
One other category of sources Shadowserver monitors are public blacklists (we currently draw upon over 110 different sources) of malicious IP addresses. We bundle all of the data from these sources into our blacklist report. Over the past few months, we have typically seen 2 million to 3 million entries for African IP addresses per day present on these types of blacklists. Note that sudden zero entries appearing on the charts is usually the result of a data collection failure on our side.
Number of IP entries geolocated to Africa on public blacklists – March/April 2020. Note that an IP may appear on multiple lists and thus be counted more than once.
Top Countries in Africa Blacklisted IP addresses (by unique daily IP addresses) – 16th April 2020
As can be seen on the tree map above, Mauritius and Seychelles IPv4 addresses have a very high profile presence on these lists, unlike in the previous datasets we explored.
A breakdown of the top observed IP blacklist source per country is shown on the maps below:
Top Blacklist presence per country by unique daily IP addresses – 16th April 2020
Top Blacklist presence per country by unique daily IP addresses – 16th April 2020
Recommended Actions
The following is a list of actions we believe may have an impact on the state of operation security on the African continent.
First and foremost, we want to continue to deliver – and to extend – our public benefit remediation network reports to more of the right kind of defender entities in Africa. This includes not only National and Government CSIRTs, but also ISPs/Domain Registries operating within the continent, as well as other private or public enterprises and network owners. As our reporting maps show below, our current National CSIRT report coverage could be improved. The number of network owners that directly receive our feeds is also low in comparison to other continents.
Secondly, we believe that a data-driven approach to improving the resilience of the African Internet is a good way to move forward. For example, dedicated malware awareness and eradication campaigns focused on threats like Andromeda or IoT-related malware, could be effective in leading to an increase in resilience of African networks. Focusing on Android malware and general Android security awareness would also be beneficial. However, these initiatives would require a collaboration with a large set of stakeholders. We are happy to explore any options in this regard. If you can help, or know someone who can, please reach out on social media and help get the message out, or get in touch by email.
Thirdly, collaboration with ISPs on reducing the footprint of exposed services (for example, focusing on CWMP or Open DNS or telnet) would also be a step forward in terms of improving network resilience.
Conclusion & Next Steps
As with nearly every region around the world, Africa has its own specific threat profile. There is much work that can be done both against legacy-threat malware and newer variants to make the region more secure for the benefit of all Internet users. Spambots, such as Necurs, and malware droppers, such as Andromeda, have powered waves of past attacks against many global targets, while Mirai-infected devices have powered huge DDoS attacks. Infected systems are likely to also be infected by (or become infected with) similar current and future threats too.
Much the same can also be said of the exposed protocols and potentially abusable services that are most at risk of cyber exploitation uncovered by our scans. Our ultimate goal is to improve the resilience of African network security and thus see our map and time series charts reflect a reduction in volumes of detected devices. We can only achieve this goal by working together, through continued and expanded collaboration between ourselves and our ever growing constituent base.
In terms of National CERT/CSIRT coverage (reflected in our coverage map below), only a small number of these organisations subscribe to our public benefit daily feeds. In total, we have 13 National CSIRTs in Africa receiving our feeds at a country level and 139 network owners that subscribe to our feeds directly, out of 109 National CSIRTs in 138 countries and 4900+ network owners that receive our data worldwide. We would encourage all African network owners to subscribe and act on our reports, and stand ready to supply any National CSIRT in the region with data.
As a community appeal, if you hold any contacts in Africa, we would be most grateful if you could help us out with an introduction in order to enable us to build new relationships with the right partners!
National CSIRTs in Africa subscribing to Shadowserver public benefit feeds – April 2020
Direct recipients of Shadowserver reports in Africa – April 2020
Whether in Africa or not, if you are not already a subscriber to Shadowserver’s public benefit daily network reports but would like to receive our existing 77 report types, then please sign up to our free daily remediation feed service.
