Threat Intelligence Report

The 2019 Nokia Threat Intelligence Report provides a view of malware activity in mobile and fixed networks around the world. Nokia examined network traffic for malware command-and-control communication, exploit attempts, hacking activity, scanning activity, and distributed denial of service attacks.

The key findings of the report are described below. They are discussed in more detail in the report which can be downloaded from this Nokia web page.

Note: The Internet of Things (IoT) is a network of physical objects (devices, vehicles, buildings, and other items) embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.

Note: A Botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attacks, steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control software. The word “botnet” is a combination of “robot” and “network”.

IoT Botnet Activity 

IoT botnet activity has increased substantially since the introduction of the Mirai malware in 2016. Many of these IoT botnets leverage the basic architecture and functionality of the Mirai source code that was released in October of that year.

In 2018, IoT bot activity represented 78% of the malware network activity (detection events) that Nokia has seen in carrier networks, with Mirai variants alone being responsible for 35%.

IoT bots now make up 16% of the infected devices observed. These bots actively scan for vulnerable victims using an increasingly rich suite of attacks. If a vulnerable IoT device is visible on the internet, it will be exploited in a matter of minutes and added to a botnet.

In networks where devices are routinely assigned public facing internet IP addresses, Nokia found a high IoT infection rate. In networks where carrier grade NAT is used, this infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

Crypto-Coin Mining

Malware based crypto-coin mining has expanded from targeting high-end servers with specialized processors to targeting IoT devices, smartphones, and even browsers.

In 2018, the average monthly infection rate in mobile networks was 0.31%. This means that in any given month, one out of every 300 mobile devices had a high-threat level malware infection.

Malware in Mobile Networks

Among smartphones, Android devices are the most commonly targeted by malware. In mobile networks, Android devices were responsible for 47.15% of the observed malware infections, Windows/PCs for 35.82%, IoT for 16.17%, and iPhones for less than 1%.

Malware in Fixed Residential Networks

The average monthly infection rate per residence in 2018 was 3.88%, which continues the downward trend from a rate of about 15% in 2015. Nokia states that the drop over the years can be attributed to:

1. Residential networks are better protected from the internet by the firewall features that are built into home routers.

2. The operating systems and applications used on modern laptop and desktop computers are more secure that the Windows/XP systems of the past.

3. Cybercriminals are focusing their effort on IoT and mobile devices.

Threat Intelligence Report

The 22-page Threat Intelligence Report can be downloaded from this Nokia web page.