Tag Archives: cybercrime

Global rise in DDoS attacks threatens digital infrastructure

In 2022, the total number of DDoS attacks worldwide increased by 115.1% over the amount observed in 2021, according to Nexusguard. The data also showed that cyber attackers continued to alter their threat vectors by targeting the application platforms, online databases, and cloud-based storage systems within ISPs. This resulted in a significantly greater impact globally as organizations continue to move more of their workloads to the cloud. Number of DDoS attacks worldwide While the overall … More ? The post Global rise in DDoS attacks threatens digital infrastructure appeared first on Help Net Security .

Read More:
Global rise in DDoS attacks threatens digital infrastructure

Malicious actors push the limits of attack vectors

The war in Ukraine has seen the emergence of new forms of cyberattacks, and hacktivists became savvier and more emboldened to deface sites, leak information and execute DDoS attacks, according to Trellix. “Q4 saw malicious actors push the limits of attack vectors,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity … More ? The post Malicious actors push the limits of attack vectors appeared first on Help Net Security .

See the original article here:
Malicious actors push the limits of attack vectors

Cybercriminals create new methods to evade legacy DDoS defenses

The number of DDoS attacks we see around the globe is on the rise, and that trend is likely to continue throughout 2023, according to Corero. We expect to see attackers deploy ever higher rate request-based or packets-per-second attacks. “DDoS attacks have historically focused around sending packets of large sizes with the aim to paralyze and disrupt the internet pipeline by exceeding the available bandwidth. Recent request-based attacks, however, are sending smaller size packets, to … More ? The post Cybercriminals create new methods to evade legacy DDoS defenses appeared first on Help Net Security .

See more here:
Cybercriminals create new methods to evade legacy DDoS defenses

DDoS tales from the SOC

In this Help Net Security video, Bryant Rump, Principal Security Architect at Neustar Security Services, talks about the challenges of mitigating immense DDoS attacks. He outlines real-world examples and discusses their implications for enterprise security preparedness and the threat landscape. The post DDoS tales from the SOC appeared first on Help Net Security .

Read the original post:
DDoS tales from the SOC

A New Wave of DDoS Extortion Campaigns by Fancy Lazarus

Warning of acute ransom DDoS attacks against companies across Europe and North America on behalf of Fancy Lazarus The Link11 Security Operations Center (LSOC) has recently observed a sharp increase in ransom distributed denial of service (RDDoS or RDoS) attacks . Enterprises from a wide range of business sectors are receiving extortion e-mails from the sender Fancy Lazarus demanding 2 Bitcoins (approx. 66,000 euros): “It’s a small price for what will happen when your whole network goes down. Is it worth it? You decide!”, the extortionists argue in their e-mail. So far, LSOC has received reports of RDoS attacks from several European countries, such as Germany and Austria, and the USA and Canada . How the DDoS extortionists operate The perpetrators gather information about the company’s IT infrastructure in advance and provide clear details in the extortion e-mail about which servers and IT elements they will target for the warning attacks. To exert pressure, the attackers rely on demo attacks , some of which last several hours and are characterized by high volumes of up to 200 Gbps . To achieve these attack bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the contacted company is threatened with massive high-volume attacks of up to 2 Tbsp . The organization has 7 days to transfer the Bitcoins to a specific Bitcoin wallet. The e-mail also states that the ransom would increase to 4 Bitcoin with the passing of the payment deadline and increase by another Bitcoin with each additional day. Sometimes, the announced attacks fail to materialize after the expiration of the ultimatum. In other cases, DDoS attacks cause considerable disruption to the targeted companies. Suspected perpetrators already made headlines worldwide The perpetrators are no unknowns. In the fall of 2020, payment providers, financial service providers, and banking institutions worldwide were blackmailed with an identical extortion target and hit with RDoS attacks. Hosting providers, e-commerce providers, and logistics companies were also the focus of the blackmailers, showing they target businesses indiscriminately. They also operated under the names Lazarus Group and Fancy Bear or posed as Armada Collective. The perpetrators are even credited with the New Zealand stock exchange outages at the End of August 2020, which lasted several days. The new wave of extortion hits many companies when a large part of the staff is still organized via remote working and depends on undisrupted access to the corporate network. Marc Wilczek, Managing Director of Link11: “The rapid digitization that many companies have gone through in the past pandemic months is often not yet 100% secured against attacks. The surfaces for cyber attacks have risen sharply, and IT has not been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision.” What to do in the event of DDoS extortion As soon as they receive an extortion e-mail, companies should proactively activate their DDoS protection systems and not respond to the extortion under any circumstances. If the protection solution is not designed to scale to volume attacks of several hundred Gbps and beyond, it is important to find out how company-specific protection bandwidth can be increased in the short term and guaranteed with an SLA . If necessary, this should also be implemented via emergency integration . LSOC’s observation of the perpetrators over several months has shown: Companies that use professional and comprehensive DDoS protection can significantly reduce their downtime risks . As soon as the attackers realize their attacks are going nowhere, they stop them and let nothing more be heard of them. LSOC advises attacked companies to file a report with law enforcement authorities . The National Cyber Security Centers are the best place to turn. Source: https://www.link11.com/en/blog/threat-landscape/new-wave-ddos-extortion-campaigns-fancy-lazarus/

See the original article here:
A New Wave of DDoS Extortion Campaigns by Fancy Lazarus

Critical Infrastructure Under Attack

Several recent cyber incidents targeting critical infrastructure prove that no open society is immune to attacks by cybercriminals. The recent shutdown of key US energy pipeline marks just the tip of the iceberg. Critical infrastructure is becoming more dependent on networks of interconnected devices. For example, only a few decades ago, power grids were essentially operational silos. Today, most grids are closely interlinked — regionally, nationally, and internationally as well as with other industrial sectors. And in contrast to discrete cyberattacks on individual companies, a targeted disruption of critical infrastructure can result in extended supply shortages, power blackouts, public disorder, and other serious consequences. According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks “the new normal across sectors such as energy, healthcare, and transportation.” Another report noted that such attacks can have major spillover effects. Lloyd’s and the University of Cambridge’s Centre for Risk Studies calculated the prospective economic and insurance costs of a severe cyberattack against America’s electricity system could amount to more than $240 billion and possibly more than $1 trillion. Given these potential far-reaching consequences, cyberattacks on critical infrastructure have become a big concern for industry and governments everywhere — and recent events haven’t done much to allay these fears. A Worldwide Phenomenon In May 2021, a huge distributed denial-of-service (DDoS) attack crippled large sections of Belgium’s Internet services, affecting more than 200 organizations, including government, universities, and research institutes. Even parliamentary debates and committee meetings were stalled since no one could access the online services they needed to participate. A few days later, a ransomware attack shut down the main pipeline carrying gasoline and diesel fuel to the US East Coast. The Colonial Pipeline is America’s largest refined-products pipeline. The company says it transports more than 100 million gallons a day of fossil fuels, including gasoline, diesel, jet fuel, and heating oil — or almost half the supply on the East Coast, including supplies for US military facilities. In August 2020, the New Zealand Stock Exchange (NZX) was taken offline for four trading days after an unprecedented volumetric DDoS attack launched through its network service provider. New Zealand’s government summoned its national cybersecurity services to investigate, and cyber experts suggested the attacks might have been a dry run of a major attack on other global stock exchanges. In October 2020, Australia’s Minister for Home Affairs, Peter Dutton, said his country must be ready to fight back against disastrous and extended cyberattacks on critical infrastructure that could upend whole industries. Obvious Uptick in DDoS Attacks During the pandemic, there’s been a huge increase in DDoS attacks, brute-forcing of access credentials, and malware targeting Internet-connected devices. The average cost of DDoS bots has dropped and will probably continue to fall. According to Link11’s Q1/2021 DDoS report, the number of attacks witnessed more than doubled, growing 2.3-fold year-over-year. (Disclosure: I’m the COO of Link11.) Unlike ransomware, which must penetrate IT systems before it can wreak havoc, DDoS attacks appeal to cybercriminals because they’re a more convenient IT weapon since they don’t have to get around multiple security layers to produce the desired ill effects. The FBI has warned that more DDoS attacks are employing amplification techniques to target US organizations after noting a surge in attack attempts after February 2020. The warnings came after other reports of high-profile DDoS attacks. In February, for example, the largest known DDoS attack was aimed at Amazon Web Services. The company’s infrastructure was slammed with a jaw-dropping 2.3 Tb/s — or 20.6 million requests per second — assault, Amazon reported. The US Cybersecurity and Infrastructure Security Agency (CISA) also acknowledged the global threat of DDoS attacks. Similarly, in November, New Zealand cybersecurity organization CertNZ issued an alert about emails sent to financial firms that threatened a DDoS attack unless a ransom was paid. Predominantly, cybercriminals are just after money. The threat actors behind the most recent and ongoing ransom DDoS (RDDoS or RDoS) campaign identify themselves as state-backed groups Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective — although it remains unclear whether that’s just been a masquerade to reinforce the hacker’s demands. The demanded ransoms ranged between 10 and 20 Bitcoin (roughly worth $100,000 to $225,000 at the time of the attacks), to be paid to different Bitcoin addresses. Mitigating the Risk Critical infrastructure is often more vulnerable to cyberattacks than other sectors. Paying a ransom has ethical implications, will directly aid the hackers’ future operations (as noted by the FBI), and will encourage them to hunt other potential victims. Targeted companies are also urged to report any RDoS attacks affecting them to law enforcement. Organizations can’t avoid being targeted by denial-of-service attacks, but it’s possible to prepare for and potentially reduce the impact should an attack occur. The Australian Cyber Security Centre notes that “preparing for denial-of-service attacks before they occur is by far the best strategy; it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.” However, as the architecture of IT infrastructure evolves, it’s getting harder to implement effective local mitigation strategies. Case in point: Network perimeters continue to be weak points because of the increasing use of cloud computing services and devices used for remote work. Also, it is increasingly infeasible to backhaul network traffic, as legitimate users will be banned, too — potentially for hours or days. To minimize the risk of disruption and aim for faster recovery time objectives (RTOs) after an attack, organizations should become more resilient by eliminating human error through stringent automation. These days, solutions based on artificial intelligence and machine learning offer the only viable means of protection against cyberattacks. Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio Source: https://www.darkreading.com/attacks-breaches/critical-infrastructure-under-attack-/a/d-id/1340960

Original post:
Critical Infrastructure Under Attack

OpenSSL fixes severe DoS, certificate validation vulnerabilities

Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products. OpenSSL is a commonly used software library for building networking applications and servers that need to establish secure communications. These flaws include: CVE-2021-3449 : A Denial of Service (DoS) flaw due to NULL pointer dereferencing which only impacts OpenSSL server instances, not the clients. CVE-2021-3450 : An improper Certificate Authority (CA) certificate validation vulnerability which impacts both the server and client instances. DoS vulnerability fixed by a one-liner The DoS vulnerability (CVE-2021-3449) in OpenSSL TLS server can cause the server to crash if during the course of renegotiation the client sends a malicious  ClientHello  message. “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” states the advisory. The vulnerability only impacts OpenSSL servers running versions between  1.1.1 and 1.1.1j (both inclusive)   that have both TLSv1.2 and renegotiation enabled. However, because this is the default configuration on these OpenSSL server versions, many of the active servers could be potentially vulnerable. OpenSSL clients are not impacted. Fortunately, all it took to fix this DoS bug was a one-liner fix, which comprised setting the  peer_sigalgslen to zero. One line fix for NULL pointer issue leading to DoS, CVE-2021-3449 Source: GitHub The vulnerability was discovered by engineers Peter Kästle and Samuel Sapalski of Nokia, who also offered the fix shown above. Non-CA certificates cannot issue  certificates! The Certificate Authority (CA) certificate validation bypass vulnerability, CVE-2021-3450, has to do with the X509_V_FLAG_X509_STRICT  flag. This flag is used by OpenSSL to disallow use of workarounds for broken certificates and strictly requires that certificates be verified against X509 rules. However, due to a regression bug, OpenSSL versions 1.1.1h and above (but excluding the fixed release 1.1.1k) are impacted by this vulnerability, as this flag is not set by default in these versions. “Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.” “An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten,” states the advisory. In effect, this means OpenSSL instances fail to check that non-CA certificates must not be the issuers of other certificates, therefore opening up the possibilities for attackers to exploit this miss. On March 18th, 2021, Benjamin Kaduk from Akamai reported this flaw to the OpenSSL project. The vulnerability was discovered by Xiang Ding and others at Akamai, with a fix having been developed by Tomáš Mráz. Neither vulnerabilities impact OpenSSL 1.0.2. Both vulnerabilites are fixed in OpenSSL  1.1.1k and users are advised to upgrade to this version to protect their instances. As reported by BleepingComputer, DHS-CISA had urged system administrators in December 2020 to patch another OpenSSL DoS vulnerability. Users should therefore protect themselves from security flaws like these by applying timely updates. Source: https://www.bleepingcomputer.com/news/security/openssl-fixes-severe-dos-certificate-validation-vulnerabilities/

See the original post:
OpenSSL fixes severe DoS, certificate validation vulnerabilities

REvil ransomware gang claims over $100 million profit in a year

REvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across the world from various sectors. They are driven by profit and want to make $2 billion from their ransomware service, adopting the most lucrative trends in their pursuit of wealth. Affiliates do the heavy lifting A REvil representative that uses the aliases “UNKN” and “Unknown” on cybercriminal forums talked to tech blog Russian OSINT offering some details about the group’s activity and hints of what they have in store for the future. Like almost all ransomware gangs today, REvil runs a ransomware-as-a-service (RaaS) operation. Per this model, developers supply file-encrypting malware to affiliates, who earn the lion’s share from the money extorted from victims. With REvil, the developers take 20-30% and the rest of the paid ransom goes to affiliates, who run the attacks, steal data, and detonate the ransomware on corporate networks. “Most work is done by distributors and ransomware is just a tool, so they think that’s a fair split,” REvil representative, Unknown, told Russian OSINT. This means that the developers set the ransom amount, run the negotiations, and collect the money that is later split with affiliates. Long list of victims The cybercriminal operation has encrypted computers at big-name companies, among them Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, and GEDIA Automotive Group. Unknown says that REvil affiliates were able to breach the networks of Travelex and GSMLaw in just three minutes by exploiting a vulnerability in Pulse Secure VPN left unpatched for months after the fix became available [1, 2]. source: Bad Packets REvil’s public-facing representative says that the syndicate has hit the network of a “major gaming company” and will soon announce the attack. They also say that REvil was responsible for the attack in September against Chile’s public bank, BancoEstado. The incident prompted the bank to close all its branches for a day but did not affect online banking, apps, and ATMs. Along with managed services providers (MSPs) that have access to networks of multiple organizations, the most profitable targets for REvil are companies in the insurance, legal, and agriculture sectors. As for initial access, Unknown mentioned brute-force attacks as well as remote desktop protocol (RDP) combined with new vulnerabilities. One example are vulnerabilities tracked as CVE-2020-0609 and CVE-2020-0610 bugs and known as BlueGate. These allow remote code execution on systems running Windows Server (2012, 2012 R2, 2016, and 2019). New money-making avenues REvil initially made its profit from victims paying the ransom to unlock encrypted files. Since the attackers also locked backup servers, victims had few options to recover, and paying was the quickest way. The ransomware business changed last year when operators saw an opportunity in stealing data from breached networks and started to threaten victims with damaging leaks that could have a much worse impact on the company. Even if it takes longer and causes a significant setback, large businesses can recover encrypted files from offline backups. Having sensitive data in the public space or sold to interested parties, though, can be synonymous with losing the competitive advantage and reputation damage that is difficult to rebuild. This method proved to be so lucrative that REvil now makes more money from not publishing stolen data than from decryption ransom. Unknown says that one in three victims are currently willing to pay the ransom to prevent the leaking of company data. This could be the next step in the ransomware business. REvil is also thinking to adopt another tactic designed to increase their odds of getting paid: hitting the victim with distributed denial-of-service (DDoS) attacks to force them to at least (re)start negotiating a payment. SunCrypt ransomware used this tactic recently on a company that had stopped negotiations. The attackers made it clear that they launched the DDoS attack and terminated it when negotiations resumed. REvil plans to implement this idea. REvil’s model for making money is working and the gang already has plenty in their coffers. In their search for new affiliates, they deposited $1 million in bitcoins on a Russian-speaking forum. The move was designed to show that their operation generates plenty of profit. According to Unknown, this step is to recruit new blood to distribute the malware, as the ransomware scene is full to the brim with professional cybercriminals. Although they have truckloads of money, REvil developers are confined to the borders of the Commonwealth of Independent States (CIS, countries in the former Soviet Union) region. A reason for this is attacking a large number of high-profile victims that prompted investigations from law enforcement agencies from all over the world. As such, traveling is a risk REvil developers are not willing to take. REvil built on older code This ransomware syndicate is also referred to as Sodin or Sodinokibi but the name REvil is inspired by the Resident Evil movie and stands for Ransomware Evil. Their malware was first spotted in April 2019 and the group started looking for skilled hackers (elite penetration testers) shortly after GandCrab ransomware closed shop. Unknown says that the group did not create the file-encrypting malware from scratch but bought the source code and developed on top of it to make it more effective. It uses elliptic curve cryptography (ECC) that has a smaller key size than the RSA-based public-key system, with no compromise on security. Unknown says that this is one reason affiliates choose REvil over other RaaS operations like Maze or LockBit. Before shutting their business, GandCrab developers said they made $150 million, while the entire operation collected more than $2 billion in ransom payments. Clearly, REvil developer’s ambitions are greater. BleepingComputer was told that Unknown confirmed that the interview (in Russian) was real. Source: https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/

More:
REvil ransomware gang claims over $100 million profit in a year

DDoS attacks intensify — Driven in part by COVID-19 and 5G

Cybercriminals had a busy year in 2020, with rapidly increasing numbers of distributed denial of service (DDoS) weapons, widespread botnet activity, and some of the largest DDoS attacks ever recorded. As COVID-19 drove an urgent shift online for everything from education and healthcare, to consumer shopping, to office work, hackers had more targets available than ever—many of them under protected due to the difficulty of maintaining security best practices in an emergency scenario. At the same time, the ongoing rollout of 5G technologies has accelerated the proliferation of IoT and smart devices around the world, making unsuspecting new recruits available for botnet armies to launch crushing attacks on a massive scale. In our ongoing tracking of DDoS attacks, DDoS attack methods, and malware activity, A10 Networks has observed a steady increase in the frequency, intensity, and sophistication of these threats, most recently in our State of DDoS Weapons Report for H2 2020, which covers the second half of the past year. During this period, we saw an increase of over 12% in the number of potential DDoS weapons available on the internet, with a total of approximately 12.5 million weapons detected. The good news is that proven methods of protection continue to be effective even as threat levels rise. So how can organizations defend against this common and highly damaging type of attack? Botnets drive DDoS attack levels to new heights While organizations of all sizes fell victim to DDoS last year, two of the world’s largest companies made headlines for suffering unprecedented attacks. In June 2020, Amazon revealed a DDoS attack on its public cloud earlier that year that peaked at 2.3 Tbps, almost twice the size of the previous largest recorded attack. Soon afterwards, Google revealed details of an even larger DDoS attack that peaked at 2.5 Tbps. A10 Networks has also been privately notified of even larger attacks, underscoring the perennial threat and growing impact of this type of cybercrime. Unlike other types of cyberattacks that depend on concealment, DDoS attacks aim to simply overwhelm an organization’s defenses with a massive flood of service requests delivered from a large number of sources. The distributed nature of the attack makes it especially difficult to repel, as the victim can’t simply block requests from a single illicit source. In recent years, hackers have evolved their methods and broadened their base of attack by using malware to hijack vulnerable compute nodes such as computers, servers, routers, cameras, and other IoT devices and recruit them as bots. Assembled into botnet armies under the attacker’s control, these weapons make it possible for attacks to be sourced from different locations across the globe to suit the attacker’s needs. In the second half of 2020, the top locations where botnet agents were detected include India, Egypt, and China, which together accounted for approximately three-quarters of the total. Activity sourced from DDoS-enabled bots in India spiked in September 2020, with more than 130,000 unique IP addresses showing behavior associated with the Mirai malware strain. A10’s most recent State of DDoS Weapons Report explores our findings about the largest contributor to this botnet activity, a major cable broadband provider, which accounted for more than 200,000 unique sources of Mirai-like behavior. Blocking botnet recruiters The identification of IP addresses associated with DDoS attacks gives organizations a way to defend their systems against questionable activity and potential threats. To protect services, users and customers from impending DDoS attacks, companies should block traffic from possibly compromised IP addresses unless it is essential for the business, or to rate-limit it until the issue is resolved. Automated traffic baselining, artificial intelligence (AI), and machine learning (ML) techniques can help security teams recognize and deal with zero-day attacks more quickly by recognizing anomalous behavior compared with historical norms. Another important step is to make sure that your organization’s own devices are not being recruited as bots. All IoT devices should be updated to the latest version to alleviate infection by malware. To detect any pre-existing infections, monitor for unrecognized outbound connections from these devices, and check whether BitTorrent has ever been seen sourced or destined to these devices, which can be a sign of infection. Outbound connections should be blocked as well. This will prevent the device from making the call required for the installation of malware such as mozi.m or mozi.a as part of the bot recruitment process. Amplification attacks and how to prevent them The scope of a DDoS attack can be vastly expanded through amplification, a technique that exploits the connectionless nature of the UDP protocol. The attacker spoofs the victim’s IP address and uses it to send numerous small requests to internet-exposed servers. Servers configured to answer unauthenticated requests, and running applications or protocols with amplification capabilities, will then generate a response many times larger than the size of each request, generating an overwhelming volume of traffic that can devastate the victim’s systems. Capable of leveraging millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services, amplification reflection attacks have resulted in record-breaking volumetric attacks and account for the majority of DDoS attacks. The SSDP protocol, with more than 2.5 million unique systems, led the list of amplification attack weapons exposed to the internet in 2020. With an amplification factor of over 30x, SSDP is considered one of the most potent DDoS weapons. The most straightforward blanket protection against such attacks is to simply block port 1900 traffic sourced from the internet unless there is a specific use case for SSDP usage across the internet. Blocking SSDP traffic from specific geo-locations where a high-level botnet activity has been detected can also be effective for more surgical protection. As recent trends make clear, the DDoS threat will only continue to grow as rising online activity across sectors, a rapidly expanding universe of IoT devices, and increasingly sophisticated methods offer new opportunities for cybercriminals. Organizations should take an active approach to defense by closing unnecessary ports, using AI and ML to monitor for signs of compromise or attack, and blocking traffic from IP addresses known to have exhibited illicit behavior. Source: https://www.securitymagazine.com/articles/94570-ddos-attacks-intensify-driven-in-part-by-covid-19-and-5g

Continue reading here:
DDoS attacks intensify — Driven in part by COVID-19 and 5G

Bad actors launched an unprecedented wave of DDoS attacks in 2020

For many enterprises, 2020 was a tough year for cyberattacks, with dozens suffering from devastating DDoS attacks due to the newfound reliance on digital tools, according to a new report from cybersecurity firm Akamai. In its report, “Retrospective 2020: DDoS was Back — Bigger and Badder than Ever Before,” the company found that it had more customers attacked in November 2020 than any prior month going back to 2016. The company had more customers attacked over 50Gbps in August 2020 than any month before, another record that dates back to 2016. “In fact, across all attacks, 7 of the 11 industries we track saw more attacks in 2020 than any year to date. Think about that. This was led by huge jumps in Business Services (960%), Education (180%), Financial Services (190%), Retail & Consumer Goods (445%), and Software & Tech (196%),” the report said. “During Cyberweek 2020 alone we saw: 65% more attacks launched against our customers vs Cyberweek 2019, the number of customers targeted was up 57% YoY, and threat actors launching attacks across an expanded industry base.” Tom Emmons, Akamai’s principal product architect, said in an interview that he and other researchers observed a “significant evolution in DDoS attacks throughout 2020, maybe the most DDoS disruption of any year on record.” For Emmons, the rise in the number of customers seeing attacks, the steady growth in large attacks, and the shift in industries targeted were startling and disturbing for him to see. “As more and more activity moved online (work, shopping, learning, etc) due to COVID-19-related restrictions and behavioral adjustments, it made internet-facing infrastructure more important. Not long after COVID-19 hit, attacks started trending up and really just continued to accelerate as the year progressed. The basic idea here is the more important something is, the more likely to be attacked,” Emmons said. “We saw attackers who clearly did their homework on scouting out targets in a well-coordinated manner. The most interesting thing the DDoS extortionists are doing is choosing good targets, and managing to get their emails and chats through to the right folks, navigating spam filters, and unread boxes.” The report cites a number of record-breaking attacks, including a 1.44 Tbps attack against a major bank in Europe as well as an 809 Mpps attack on an internet hosting provider. According to the study’s findings, some of the largest DDoS extortion campaigns took place in 2020 and the numbers only continued to grow throughout the year. Akamai reported that more of its customers were attacked than any other year on record since 2003, with one industry seeing a 960% increase in the number of attacks. The steep increase in attacks was attributed to COVID-19, which forced almost every enterprise into using some form of digital tools in order to survive. Emmons also noted that there have been improvements in the tools used for DDoS attacks, allowing less experienced attackers to go after big targets. When researchers mapped it out, the timing of the increases in attacks coincides perfectly with the start of the COVID-19 pandemic, particularly in Europe and the US. “Customers and prospects shifted to focus on protecting VPNs and communications endpoints more than ‘generic’ data centers, as their risk profile and postures rapidly evolved,” the report said. “Looking back, as businesses across all industries had to adapt to remote work and the increasing reliance on internet connectivity, it’s clear that more and more types of organizations would be attractive and lucrative targets for DDoS threat vectors.” The report adds that the complexity of the attacks was also concerning considering the number of attack vectors and botnet tools used. In 2020, Akamai reported that 65% of the DDoS attacks they dealt with involved “multi-vector assaults” and “as many as 14 different DDoS vectors were noted in a single attack.” There was a significant increase in extortion-related DDoS attacks that began in August but the unnerving aspect for Akamai researchers was the specificity of the surveillance done before the attacks. “A notable characteristic of this campaign was the level of reconnaissance conducted by the attackers prior to sending the extortion letters. The bad actors were highly targeted in their threats and wanted victims to know that they had uncovered specific weaknesses across internet-facing infrastructure or had identified revenue-impacting IPs that would be taken offline unless their Bitcoin extortion demands were met,” the report said. “The 2020 campaign also signaled a significant shift in the types of industries typically targeted — a foreshadowing of future DDoS activity — with the threat actors pivoting from one vertical to the next depending on the week, in some cases circling back to organizations who had been previously victimized. As is the case with extortion, criminal rings won’t stop until arrests are made, and the fact that the extortion campaigns are ongoing indicates businesses are caving to their demands, which further incentivizes the activity.” When asked about the motivations behind this increase in attacks, Emmons said most were generally launched for money, either through extortion or by attempting to damage an organization financially through disruption. Society’s overwhelming reliance on digital tools made it easy for attackers to go after “low hanging fruit.” The study notes that Akamai continues to see extortion-related attacks that led to a “record emergency onboarding of new customers,” with the report adding that this was a signal that the problem seems likely to persist well into 2021. All signs point to continued DDoS attack growth. Not one of the indicators we track is flat or trending down,” Emmons said. “We’ve got more new customers doing emergency integrations than ever, and the percentage of customers running always on vs. on-demand defenses is at an all-time high. When in doubt follow the customers.” Source: https://www.techrepublic.com/article/bad-actors-launched-an-unprecedented-wave-of-ddos-attacks-in-2020/

View post:
Bad actors launched an unprecedented wave of DDoS attacks in 2020