Ransomware operations have undoubtedly dominated the 2020 cyber threat landscape thanks to multi-million-dollar heists and new malware variants popping up every day. Although the risks posed by these operations are undoubtedly worth being carefully observed, focusing the entire spotlight on this threat may risk overshadowing other persistent malicious techniques that are frequently used by threat actors. For this reason, this blog will delve into Denial-of-Service attacks, analyzing the most notable attacks and the latest trends observed by our analysts.

Traditionally, Denial-of-Service (DoS) attacks present themselves as the archetype of the script kiddie’s beginner toolkit. The idea behind it is elementary: if you flood a website’s server with more requests than it can handle, you will slow down or even temporarily crash the entire system. When threat actors enlist various sources to conduct this operation, we talk about Distributed Denial-of-Service (DDoS) attacks, which have significantly evolved in the past years. They are now making their comeback within the threat landscape due to a lowered entry-bar and the widespread use of this attack in conjunction with other tactics, techniques, and procedures (TTPs).

Companies affected by DDoS may experience a long-time interruption of business, which in turn may cause financial loss, brand or reputational damage, and influence customer trust. This problem is even more true for those heavily relying on their website’s reliable functionality (obviously not the minority). Making sense of how this offensive technique has mutated over time and the current threat landscape trends is crucial to prevent and mitigate future attacks. 

Average DDos Attack Duration
(Average DDoS attack duration, Source: ENISA/Imperva)

Distributed Denial-of-Service Attacks in 2020

This year has been a turbulent one, to say the least. Global and regional events have profoundly shaken the worldwide order, and we have observed how cyberspace has permeated each of them to amplify their impact on our security. Many DDoS attacks played a part in this environment, and there are a few that we’d like to remember for their significance.

It’s impossible not to mention the global COVID-19 pandemic that is affecting every aspect of our lives. Although we were hoping never to see any exploitation of this crisis, cybercriminals took advantage of the chaos generated by the pandemic with scams, frauds, and misinformation techniques. Sadly, we also observed many attacks against the healthcare industry, with the most notable one being the March 2020 denial-of-service attack against the U.S. Health and Human Services Department operated by an unknown threat actor in a pivotal moment amid the virus outbreak.

The killing of George Floyd in May 2020 globally sparked protests and marked another crucial moment of this year. While people were marching on the streets to protest against police brutality, there were also people manifesting through online activity. Advocacy groups were subjected to the most significant number of attempted DDoS attacks. Simultaneously, other popular targets included government websites, such as those belonging to the police and the military, also marking the alleged resurgence of hacktivist group Anonymous.  

This year, as if 2020 was not troubling enough, we also witnessed the largest DDoS attack ever recorded, which peaked at 2.3 Terabytes per second. The attack was carried out deploying hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and caused three days of downtime for the unnamed targeted business. This event further proves how threat actors are refining their DDoS techniques to create a product more threatening than ever. For this reason, we’ve highlighted three main trends for this year that will likely be persistently present in 2021 as well.

Leveraging IoT, leasing DDoSaaS solutions, and DDoS extortion is becoming the new normal

Throughout the lifecycle of all cybercriminal trends, when threat actors observe a more efficient method, they naturally become more popular and complex over time. The digitization of society has inherently increased cyber risks across all geographies and industries. Most notably, the Internet of Things has exponentially grown over the past few years, and cybercriminals are looking to leverage its increased attack surface and double down on users’ unfamiliarity with proper security hygiene. The cybercriminal landscape has also implemented business opportunities for DDoS services and carved out solutions that include lower-level threat actors. Finally, as we’ve seen success in threat actors furthering their extortion attempts, DDoS attackers may take a page out of the ransomware operators’ playbook by threatening their victims with persistent attacks until their needs are met – only time will tell. 

Anubis DDoS service
Anubis DDoS service listed on a cybercriminal marketplace

A swarm of compromised Internet of Things (IoT) devices

Unpatched IoT devices with inadequate passwords represent a goldmine for malicious actors interested in conducting DDoS attacks. During this year’s National Cyber Security Awareness Month (NCSAM), we discussed a broad array of topics related to the Internet of Things, such as the importance of protecting connected devices and doing so at home and work. Securing these devices is fundamental for your data and privacy because infected devices may be controlled by threat actors, leveraging their access to your device to conduct further malicious activity. This scenario is the case of DDoS botnets: swarms of compromised devices are exploited by threat actors to increase the power of their DDoS attack and reduce defenders’ chances to thwart it.

Mirai is probably the first and most well-known botnet aimed specifically at IoT devices, which wreaked havoc on systems with concerted DDoS attacks. Its first wave of notable attacks dates back to 2016 when it brought down much of America’s internet. Shortly after the incident, its creators publicly released the Mirai botnet source code, inspiring a long series of attempts to build new botnets capable of adapting to the mutated threat landscape and increase their risk level. One of the most recent examples of these botnets is Ttint, a botnet discovered in October 2020 based on the Mirai code; however, threat actors improved the program by implementing 12 additional remote access functions. With the number of IoT devices always on the rise, in terms of sophistication and variety, the threat posed by DDoS botnets will likely increase in the future.

Developing a botnet sounds too difficult? You can still rent it!

As DDoS attacks have increased in sophistication and complexity, it’s natural to deduce that script kiddies with less technical know-how may be pushed off the cybercrime bandwagon; however, cybercriminals think differently. In turn, the cybercriminal threat landscape has spotted this issue and found a perfect niche opportunity to expand its business activities. Enter DDoS-as-a-Service (DDoSaaS). With solutions of this nature, anyone can easily rent a DDoS toolkit to easily conduct attacks against their preferred targets for just a few dollars a month. More specifically, advertisements for DDoS services posted within the last six months averaged just less than $7. This figure is a significant decrease in price from the $25 average in 2017, suggesting that this attack vector’s supply has notably increased within the last few years.

Cybercriminal forum user requesting to rent a DDoS
Cybercriminal forum user requesting to rent a DDoS service

This activity is becoming more commonplace as more threat actors recognize this opportunity to generate profits without risking exposing themselves. One would think that renting a DDoS toolkit would only be possible in the obscurest corners of the dark web; however, that’s not the case here. Cybercriminals have also found a way to promote their services on common social media channels like YouTube and Reddit by calling their products “stressers” – tools used to test your own server’s robustness. Without any legal checks in place, it’s easy to imagine how these same tools can be used for nefarious purposes by malicious actors. These phenomena all contribute to lowering the barrier of entry for this kind of attack. This trend will likely increase in the future, thus making DDoS attacks a job that low-skilled criminals can do with professional threat actors’ efficiency.

Using DDoS and impersonation for cyber extortion

You may be wondering what could be worse than a swarm of IoT devices unleashed against your servers by someone who just rented an attacking toolkit online. Well, you should also know that cybercriminals have started (again) to leverage this technique for extortion purposes. Business continuity interruption can be a useful weapon in cybercriminals’ hands as most businesses rely on their website to conduct their operations. But not all DDoS attacks are powerful enough to disrupt major companies’ servers and less so when operated by inexperienced threat actors; in this case, the extortion attempt may fail its objective as the potential victim doesn’t feel threatened enough.

We have recently observed a case where cybercriminals were impersonating infamous threat groups to threaten their targets. We’re talking about the August 2020 attack against the New Zealand stock exchange (NZX), an extortion campaign conducted by an unnamed cybercriminal group trying to impersonate famous cybercriminal collectives, such as Armada Collective and Fancy Bear, in a ransom note sent to the targeted organization. Although it is highly likely that the threat actor behind the attack was using heavy-hitting names to instill fear in the victim and facilitate the ransom payment, the attack was indeed more sophisticated than other observed DDoS attacks. It didn’t merely target public websites but also backend infrastructure, application programming interface (API) endpoints, and domain name servers (DNS) and managed to force the NZX to halt trading for several hours over four consecutive days.

This DDoS extortion attempt marks a resurgence of this technique, which peaked in 2017, when many groups were making similar claims to those described above. As companies became more suspicious of the groups’ real capabilities behind the extortion attempts, the market for cybercriminals shrank, and high-skilled threat actors moved to more rewarding targets. It seems unlikely that attacks similar to the NZX one may become commonplace in the coming months. Still, it appears that the DDoS attack, in combination with an extortion attempt, may live a new youth thanks to a lower barrier of entry.

To mitigate or not to mitigate, there is no question

Given the high complexity of DDoS attacks favored by a low entry-bar and easily accessible resources, it is fundamental to be prepared for an increased number of offensive operations of this type. Each DDoS is different from the other and needs to be responded in its unique way. Nonetheless, this article will highlight several strategic mitigation pieces of advice applicable in any case and will likely contribute to strengthening your security posture.

  • Prepare a contingency plan. Recognize your critical services and resources and ensure to have an updated response plan for the most sensible assets to be protected;
  • Keep your friends close. Maintain a clear communication channel with your Internet Service and Cloud providers as their support will be crucial during a DDoS attack;
  • Keep your enemies closer. Build an extensive knowledge base of threat actor groups and their preferred TTPs as it can help demystifying spoof impersonations;
  • Know your digital exposure. Keep a record of your critical assets and monitor your Internet footprint to prevent being surprised by threat actors;
  • Protect those IoT devices. Use complex passwords, update unpatched devices, and try to keep unsecure items off your main working network.