Peak levels of traffic will be seen throughout the holiday shopping season as a flood of consumers turn to online channels to purchase goods, Imperva reveals.
A monthly measurement and analysis of the global cyber threat landscape across data and applications, shortly after stay-at-home orders were issued, web traffic to retail sites spiked by as much as 28 percent over the weekly average, eclipsing the record peaks from the 2019 holiday shopping season.
Cybercriminals capitalized on the chaos and shift to a remote world by launching bad bot attacks and DDoS attacks with the goal of disrupting online activities. As retailers now prepare for a surge in online holiday shopping amid the on-going global pandemic, Imperva experts urge vigilance and preparedness on the part of online businesses.
Bad bots abusing websites, mobile apps and APIs
Malicious automated attacks are a top threat to online retailers, a trend that has remained consistent before and during COVID-19. 98.04% of the attacks on online retailers detailed in the report originate from automated bot activity.
Simple bots are used in 44.15% of these attacks and function by connecting to a single, ISP-assigned IP address. The leading sources for these attacks are the United States (30.93%), Russia (14.39%) and Ukraine (12.92%).
Bots are also increasingly used as a competitive weapon by retailers who deploy bots for price scraping and inventory trackers to keep an eye on their industry rivals.
The volume of attacks on retailers’ APIs far exceeded average levels this year. The retail industry is an attractive target for cybercriminals because they retain sensitive payment data. According to Imperva researchers, the leading attack vectors for retail API attacks in 2020 are cross-site scripting (XSS) (42%) and SQL injection (40%).
Cyber attacks targeting websites have already reached record levels so far in 2020. Imperva finds the three most common attacks to be remote code execution (RCE) (21%), data leakage (20%) and cross-site scripting (XSS) (16%).
49% of these attacks in the last 12 months (49%) were carried out against retail websites hosted in the U.S. by attackers using anonymity frameworks, a common method for concealing a bad actor’s identity from the target.
Imperva researchers have seen an increase in the volume and intensity of DDoS attacks throughout 2020. Researchers monitored an average of eight application layer DDoS attacks a month against online retail sites, with a significant peak occurring in April 2020, as demand for online shopping grew because of pandemic-related stay-at-home orders.
Account takeover (ATO) attacks
Online retailers experienced more than twice (62%) as many ATO attempts than any other industry this year. Criminals use 79% of leaked credentials to defraud retail targets because it typically guarantees a higher success rate, finds Imperva researchers.
“The holiday shopping season is a crucial revenue period for retailers every year, but in 2020, they face a two-pronged threat: managing unprecedented levels of human and attack traffic to their websites and APIs,” says Edward Roberts, Application Security Strategist, Imperva.
“As COVID reshuffled lives and daily habits, shoppers swarmed online retail sites at record levels. Amid this historic holiday shopping season, the retail industry is likely to experience a peak in human traffic that exceeds anything measured this year and unlike anything in recent memory. The question is how many attackers are going to hide within this expected traffic spike?”
Roberts continues, “Imperva’s research shows that retailers face a myriad of complex cybersecurity threats today, a situation that’s been compounded by the global pandemic.
“However, managing a stack of point solutions to address each of these unique risks is a challenge for lean security teams. Instead, they should invest in an integrated platform, like Imperva Application Security, that provides protection against the leading attacks and optimizes web performance, helping businesses operate more efficiently and securely.”
As COVID-19 lockdown measures were implemented in March-April 2020, consumer and business behavioral changes transformed the internet’s shape and how people use it virtually overnight. Many networks experienced a year’s worth of traffic growth (30-50%) in just a few weeks, Nokia reveals.
By September, traffic had stabilized at 20-30% above pre-pandemic levels, with further seasonal growth to come. From February to September, there was a 30% increase in video subscribers, a 23% increase in VPN end-points in the U.S., and a 40-50% increase in DDoS traffic.
Ready for COVID-19
In the decade prior to the pandemic, the internet had already seen massive and transformative changes – both in service provider networks and in the evolved internet architectures for cloud content delivery. Investment during this time meant the networks were in good shape and mostly ready for COVID-19 when it arrived.
Manish Gulyani, General Manager and Head of Nokia Deepfield, said: “Never has so much demand been put on the networks so suddenly, or so unpredictably. With networks providing the underlying connectivity fabric for business and society to function as we shelter-in-place, there is a greater need than ever for holistic, multi-dimensional insights across networks, services, applications and end users.”
The networks were made for this
While the networks held up during the biggest demand peaks, data from September 2020 indicates that traffic levels remain elevated even as lockdowns are eased; meaning, service providers will need to continue to engineer headroom into the networks for future eventualities.
Content delivery chains are evolving
Demand for streaming video, low-latency cloud gaming and video conferencing, and fast access to cloud applications and services, all placed unprecedented pressure on the internet service delivery chain.
Just as Content Delivery Networks (CDNs) grew in the past decade, it’s expected the same will happen with edge/far edge cloud in the next decade – bringing content and compute closer to end users.
Residential broadband networks have become critical infrastructure
With increased needs (upstream traffic was up more than 30%), accelerating rollout of new technologies – such as 5G and next-gen FTTH – will go a long way towards improving access and connectivity in rural, remote and underserved areas.
Better analytical insights enable service providers to keep innovating and delivering flawless service and loyalty-building customer experiences.
Deep insight into network traffic is essential
While the COVID-19 era may prove exceptional in many ways, the likelihood is that it has only accelerated trends in content consumption, production and delivery that were already underway.
Service providers must be able to have real-time, detailed network insights at their disposal – fully correlated with internet traffic insights – to get a holistic perspective on their network, services and consumption.
Security has never been more important
During the pandemic, DDoS traffic increased between 40-50%. As broadband connectivity is now largely an essential service, protecting network infrastructure and services becomes critical.
Agile and cost effective DDoS detection and automated mitigation are becoming paramount mechanisms to protect service provider infrastructures and services.
Organizations are often forced to make critical security decisions based on threat data that is not accurate, relevant and fresh, a Neustar report reveals.
Just 60% of cybersecurity professionals surveyed indicate that the threat data they receive is both timely and actionable, and only 29% say the data they receive is both extremely accurate and relevant to the threats their organization is facing at that moment.
Few orgs basing decisions on near real-time data
With regard to the timeliness of threat data, only 27% of organizations are able to base their security decisions on near real-time data, while 25% say they receive updates hourly and another 24% receive updates several times per day.
“With the pandemic exacerbating the sheer volume of threats and the nature of remote workforces creating a broader range of vulnerabilities, it is more critical than ever that organizations have access to actionable, contextualized, near real-time threat data to power the network and application security tools they use to detect and block malicious actors,” said Rodney Joffe, Senior VP, Security CTO, Fellow at Neustar.
“A timely, actionable and highly relevant security threat data feed can help deliver curated insights to security teams, allowing them to better identify and mitigate risks such as malicious domain generation algorithms, suspicious DNS tunneling attempts, sudden activity by domains with little or no history, and hijacked or spoofed domains.”
Greatest concerns for security pros
According to the report, 37% of organizations state that they have been the victim of a successful domain spoofing attempt or domain hacking attempt (31%) within the last 12 months.
Findings from the latest NISC research also highlighted a 12.4-point year-on-year increase in the International Cyber Benchmarks Index. Calculated based on the changing level of threats and impact of cyberattacks, the index has maintained an upward trend since May 2017.
During July and August 2020, system compromise and distributed denial-of-service attacks (both 21%) were ranked as the greatest concerns for security professionals, followed by ransomware (20%) and theft of intellectual property (17%).
During this period, targeted hacking (63%) was most likely to be perceived as an increasing threat to organizations, followed by ransomware and DDoS attacks (both 62%). In this round of the survey, 72% of participating enterprises indicated that they had been on the receiving end of a DDoS attack at some point, compared to an average of 52% over the 20 survey rounds.
Attackers focused on COVID-era lifelines such as healthcare, e-commerce, and educational services with complex, high-throughput attacks designed to overwhelm and quickly take them down, Netscout reveals.
“The first half of 2020 witnessed a radical change in DDoS attack methodology to shorter, faster, harder-hitting complex multi-vector attacks that we expect to continue,” stated Richard Hummel, threat intelligence lead, Netscout.
“Adversaries increased attacks against online platforms and services crucial in an increasingly digital world, such as e-commerce, education, financial services, and healthcare. No matter the target, adversary, or tactic used, it remains imperative that defenders and security professionals remain vigilant in these challenging days to protect the critical infrastructure that connects and enables the modern world.”
Record-breaking DDoS attacks at online platforms and services
More than 929,000 DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a month. 4.83 million DDoS attacks occurred in the first half of 2020, a 15% increase. However, DDoS attack frequency jumped 25% during peak pandemic lockdown months (March through June).
Bad actors focused on shorter, more complex attacks
Super-sized 15-plus vector attacks increased 2,851% since 2017, while the average attack duration dropped 51% from the same period last year. Moreover, single-vector attacks fell 43% while attack throughput increased 31%, topping out at 407 Mpps.
The increase in attack complexity and speed, coupled with the decrease in duration, gives security teams less time to defend their organizations from increasingly sophisticated attacks.
Organizations and individuals bear the cost of cyber attacks
To determine the impact that DDoS attacks have on global Internet traffic, the Netscout ATLAS Security Engineering and Response Team (ASERT) developed the DDoS Attack Coefficient (DAC). It represents the amount of DDoS attack traffic traversing the internet in a given region or country during any one-minute period.
If no traffic can be attributed to DDoS, the amount would be zero. DAC identified top regional throughput of 877 Mpps in the Asia Pacific region, and top bandwidth of 2.8 Tbps in EMEA. DAC is important since cybercriminals don’t pay for bandwidth. It demonstrates the “DDoS tax” that every internet-connected organization and individual pays.
Attackers shifted tactics in Q2 2020, with a 570% increase in bit-and-piece DDoS attacks compared to the same period last year, according to Nexusguard.
Perpetrators used bit-and-piece attacks to launch various amplification and elaborate UDP-based attacks to flood target networks with traffic.
Analysts witnessed attacks using much smaller sizes—more than 51% of bit-and-piece attacks were smaller than 30Mbps—to force communications service providers (CSPs) to subject entire networks of traffic to risk mitigation. This causes significant challenges for CSPs and typical threshold-based detection, which is unreliable for pinpointing the specific attacks to apply the correct mitigation.
Improvements in resources and technology will cause botnets to become more sophisticated, helping them increase resilience and evade detection efforts to gain command and control of target systems. The evolution of attacks means CSPs need to detect and identify smaller and more complex attack traffic patterns amongst large volumes of legitimate traffic.
Switching to deep learning-based predictive models recommended
Analysts recommend service providers switch to deep learning-based predictive models in order to quickly identify malicious patterns and surgically mitigate them before any lasting damage occurs.
“Cyber attackers have rewritten their battlefield playbooks and craftily optimized their resources so that they can sustain longer, more persistent attacks. Companies must look to deep learning in their approaches if they hope to match the sophistication and complexity needed to effectively stop these advanced threats.”
In the past, attackers have used bit-and-piece attacks with a single attack vector to launch new attacks based on that vector. There was a tendency to employ a blend of offensive measures in order to launch a wider range of attacks, intended to increase the level of difficulty for CSPs to detect and differentiate between malicious and legitimate traffic.
There have been significant shifts in DDoS attack patterns in the first half of 2020, a Neustar report reveals. There has been a 151% increase in the number of DDoS attacks compared to the same period in 2019. These included the largest and longest attacks that Neustar has ever mitigated at 1.17 Terabits-per-second (Tbps) and 5 days and 18 hours respectively.
These figures are representative of the growing number, volume and intensity of network-type cyberattacks as organizations shifted to remote operations and workers’ reliance on the internet increased.
DDoS attacks becoming increasingly intense and sophisticated
Large DDoS attacks are bigger, more intense, and happening in greater numbers than ever before. There has been a noticeable spike in large attacks across the industry, most notably the 2.3 Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record.
The total number of attacks increased by over two and a half times during January through June of 2020 compared to the same period in 2019. The increase was felt across all size categories, with the biggest growth happening at opposite ends of the scale – the number of attacks sized 100 Gbps and above grew a whopping 275% and the number of very small attacks, sized 5 Gbps and below, increased by more than 200%.
Overall, small attacks sized 5 Gbps and below represented 70% of all attacks mitigated between January and June of 2020.
“While large volumetric attacks capture attention and headlines, bad actors increasingly recognise the value of striking at low enough volume to bypass the traffic thresholds that would trigger mitigation to degrade performance or precision target vulnerable infrastructure like a VPN,” said Michael Kaczmarek, Neustar VP of Security Products.
“These shifts put every organization with an internet presence at risk of a DDoS attack – a threat that is particularly critical with global workforces reliant on VPNs for remote login. VPN servers are often left vulnerable, making it simple for cybercriminals to take an entire workforce offline with a targeted DDoS attack.”
The rise in smaller DDoS attacks has been matched by increases in attack sophistication and intensity. 52% of threats mitigated by Neustar leveraged three vectors or more, with the number of attacks featuring a single vector essentially nonexistent.
New amplification methods and attacks of higher intensity targeted at critical pieces of web infrastructure were also tracked. The previous high-water mark of 500 millions-of-packets-per-second (Mpps) was topped this year, with an attack of over 800 Mpps recorded.
“The dependency and growth in online communications since COVID-19 has fundamentally changed what organizations must do to succeed,” said Brian McCann, President, Neustar Security Solutions.
“There is no one-size-fits-all solution for security, but having a reliable cloud service that ensures availability and security for all services and users has proven to be a critical difference between barely surviving and thriving in this rapidly changing environment.”
Ongoing impact of COVID-19 on cyberthreats and industry web traffic
The precipitous rise in DDoS attacks mirrors the growth in internet traffic seen during the pandemic. Internet use is up between 50% and 70% and streaming media rose more than 12% in the first quarter of 2020. This has meant that attackers of all types, whether serious cybercriminals or bored teenagers stuck at home, have had more screen time to be disruptive.
In a study of one of the largest cybercrime sites by Cambridge University’s Cybercrime Centre, they found that the number of attacks enacted by the website went up sharply at the start of the pandemic and associated lockdown. They also found that instead of existing cybercriminals staging more attacks, it was new attackers driving the increase in DDoS attacks.
The corresponding attacks, like internet traffic, have not been evenly spread across all websites. It’s well known that ecommerce and gaming websites have received a lot of negative attention from hackers, but there are other industries that have been hit hard by cybercriminals over the last six months.
Healthcare organizations contain sensitive patient information and a growing number of IoT devices that are easily exploited. Combined with the additional pressure of the pandemic, hospitals have become some of the most desirable targets for cybercriminals.
Industries that have seen a lot of growth during the pandemic, like online gambling, have also been ripe for cyberthreats. Most notably, online video has seen an incredible rise in both usage and DDoS attacks.
Omdia has reported an additional 200 billion hours of Netflix viewing or Zoom video calls over initial 2020 forecasts. Where traffic rises, so too do attacks; Neustar attack mitigations for this vertical increased by 461% over the last six months.
“While 2020 has brought radical changes in behaviour to consumers and criminals alike, it is naïve to assume that actions of either audience will revert completely to pre-pandemic norms after this crisis passes,” added Kaczmarek.
“Mitigating these increasingly sophisticated DDoS attacks will continue to be a necessary part of doing business online. At a time when many organizations could do with less worry, fully managed services can take the pressure off and ensure critical digital assets are safe and secure.”
The report highlights several emerging attacker tactics seen across the industry, including an increase in burst and pulse DDoS attacks, broadening abuse of built-in network protocols such as ARMS, WS-DD, CoAP and Jenkins to launch DDoS amplification attacks that can be carried out with limited resources and cause significant disruptions, NXNS attacks targeting DNS servers, RangeAmp attacks targeting Content Delivery Networks (CDNs), and a resurgence of Mirai-like malware capable of building large botnets through the exploitation of poorly secured IoT devices.
There’s a growing unease amongst the cybersecurity community around the recent rise in misinformation and fake domains, Neustar reveals.
48% of cybersecurity professionals regard the increase in misinformation as a threat to the enterprise, with 49% ranking the threat as ‘very significant’. In response, 46% of organizations already have plans in place to ensure greater emphasis on their ability to react to the rise of misinformation and fake domains.
An additional 35% said it will be a focus area for them in the next six months, while 13% would consider it if it continues to be an issue.
“Misinformation is by no means new – from the beginning of time it has been used as a key tactic by people trying to achieve major goals with limited means,” said Rodney Joffe, Chairman of NISC, Senior Vice President and Fellow at Neustar.
“The current global pandemic, however, has led to a sharp uptick in misinformation and the registration of fake domains, with cybercriminals using tactics such as phishing, scams and ransomware to spread misleading news, falsified evidence and incorrect advice. While the motives of malicious actors may differ, the erosion of trust caused by misinformation poses a range of ethical, social and technological challenges to organizations.”
The complexity of misinformation
In spite of these current anxieties, solving the problem of misinformation is complex. Only 36% of security execs are very confident with their organization’s ability to successfully identify misinformation and fake domains.
Underlining these concerns, 91% respondents stated that stricter measures should be implemented on the internet if the recent surge in misinformation and fake domains continues.
“Organizations must be vigilant when it comes to assessing how their brand is being used to spread potentially damaging misinformation,” Joffe continued.
“On an open internet, where people can freely register domains and spread information via social media, organizations need to build global taskforces specialising in monitoring and shutting down fake domains and false information. This will involve deploying an always-on approach and using intelligent threat data to measure and mitigate the risk.”
Cyberattacks maintaining an upward trend
Findings from the latest NISC research also highlighted a steep 12-point increase on the International Cyber Benchmarks Index year-on-year. Calculated based on the changing level of threat and impact of cyberattacks, the Index has maintained an upward trend since May 2017.
During May – June 2020, DDoS attacks (23%) and system compromise (20%) were ranked as the greatest concerns to cybersecurity professionals, followed by ransomware (18%) and intellectual property (15%). During this period, organizations focused most on increasing their ability to respond to vendor or customer impersonation, targeted hacking and DDoS attacks.
Findings from Link11’s H1 2020 DDoS Report reveal a resurgence in DDoS attacks during the global COVID-19 related lockdowns.
In April, May and June 2020, the number of attacks registered by Link11’s Security Operations Center (LSOC) averaged 97% higher than the during the same period in 2019, peaking at a 108% increase in May 2020.
Key findings from the annual report include:
- Multivector attacks on the rise: 52% of attacks combined several methods of attack, making them harder to defend against. One attack included 14 methods; the highest number of vectors registered to date.
- Growing number of reflection amplification vectors: Most commonly used vectors included DNS, CLDAP and NTP, while WS Discovery and Apple Remote Control are still frequently used after being discovered in 2019. Since the beginning of the year, the vector set for DDoS attackers has also been expanded by DVR DHCPDiscovery. The LSOC discovered the vector that exploits a vulnerability in digital video recorders. The new method of attack was used hundreds of times for DDoS attacks during the COVID-19 pandemic in the second quarter of 2020.
- DDoS sources for reflection amplification attacks distributed around the globe: The top three most important source countries in H1 2020 were USA, China, and Russia. However, more and more attacks have been traced back to France.
- Average attack bandwidth remains high: The attack volume of DDoS attacks has stabilized at a high level, at an average of 4.1 Gbps. In the majority of attacks 80% were up to 5 Gbps. The largest DDoS attack was stopped at 406 Gbps. In almost 500 attacks, the attack volume was over 50 Gbps. This is well over the available connection bandwidth of most companies.
- DDoS attacks from the cloud: At 47%, the percentage of DDoS attacks from the cloud was higher than the full year 2019 (45%). Instances from all established providers were misused, but most commonly were Microsoft Azure, AWS, and Google Cloud. Attackers often use false identities and stolen credit cards to open cloud accounts, making it difficult to trace the criminals behind attacks.
- The longest DDoS attack lasted 1,390 minutes – 23 hours. Interval attacks, which are set like little pinpricks and thrive on repetition, lasted an average of 13 minutes.
The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and out of office hours on weekdays.
“The pandemic has forced organizations to accelerate their digital transformation plans, but has also increased the attack surface for hackers and criminals – and they are looking to take full advantage of this opportunity by taking critical systems offline to cause maximum disruption. This ‘new normal’ will continue to represent a major security risk for many companies, and there is still a lot of work to do to secure networks and systems against the volume attacks. Organizations need to invest in security solutions based on automation, AI and Machine Learning that are designed to tackle multi-vector attacks and networked security mechanisms,” said Marc Wilczek, COO, Link11.
In the first quarter of 2020, DDoS attacks rose more than 278% compared to Q1 2019, and more than 542% compared to the last quarter, as published in the Nexusguard Q1 2020 Threat Report. DDoS attacks have become a global risk, and as attacks continue to increase in complexity, further spurred by the pandemic, ISPs will have to strengthen their security measures.
Undetectable and abnormal traffic patternss
While DDoS attacks disrupt service for large companies and individuals alike, ISPs face increasing challenges to curb undetectable and abnormal traffic patterns before they evolve into uncontrollable reflection attacks.
Generally considered the “off season” for DDoS attacks, researchers attribute the surge in incidents to malicious efforts during the COVID-19 pandemic, as consumers become dependent on online services and working from home has become the new normal in an effort to prevent the spread of the virus.
“With remote working becoming the new standard and emphasis on home internet connectivity at an all time high, proper security measures to mitigate these attacks have never been more important for ISPs. DDoS attacks, be it outgoing or incoming, is a threat to this new working standard that no home users will be able to effectively address, with ISPs needing to employ protective steps to maintain its quality of network connectivity,” said Donny Chong, Product Director for Nexusguard.
ISPs under attack
Such heavy reliance on online services has given rise to a trend of attacks meant to overwhelm ISPs. In addition to traditional DDoS attacks, Nexusguard researchers identified various abnormal traffic patterns, including small-sized, short attacks dubbed “invisible killers.” These types of attacks are often wilfully ignored by ISPs, which gives the invisible anomalies access to website and online services networks to wreak havoc.
“We believe that the ‘invisible killer’ trend will not go away anytime soon, and should not be dismissed at the risk of Internet network infrastructures suffering a deluge of attacks. ISPs play a key role in preventing and mitigating attacks in the long run, protecting its own networks and customer networks from either ‘invisible killer’ or traditional attacks. Steps must be taken to address and manage suspicious traffic, safeguarding the connectivity and service uptime of customer networks from the threats of DDoS attacks,” said Donny Chong.
The report findings also revealed that bits-and-pieces attacks continue to infiltrate traditional threshold-based detection. These forms of attacks are a result of drip-feeding doses of junk traffic into a large IP pool, ultimately clogging the targeted infrastructure when small bits of attacks accumulate from various source IPs.
Furthermore, 90% of attacks employed also used a single-vector approach, which is a shift from the popularity of multi-vector attacks in the past.
As DDoS attacks become more sophisticated and harder to stop, exacerbated by our collective change in lifestyle due to the pandemic, security policies and practices need to be addressed for the post-COVID-19 world. ISPs will have to adapt to and address the new attack methods birthed from the pandemic, and look towards mitigating and managing disruptions emanating from widespread DDoS attacks.
A Trend Micro research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The report urges users to take action to stop their devices from enabling this criminal activity.
The importance of home routers for IoT botnets
There has been a recent spike in attacks targeting and leveraging routers, particularly around Q4 2019. This research indicates increased abuse of these devices will continue as attackers are able to easily monetize these infections in secondary attacks.
“With a large majority of the population currently reliant on home networks for their work and studies, what’s happening to your router has never been more important,” said Jon Clay, director of global threat communications for Trend Micro.
“Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale. For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks.”
Force log-in attempts against routers increasing
The research revealed an increase from October 2019 onwards in brute force log-in attempts against routers, in which attackers use automated software to try common password combinations.
The number of attempts increased nearly tenfold, from around 23 million in September to nearly 249 million attempts in December 2019. As recently as March 2020, Trend Micro recorded almost 194 million brute force logins.
Another indicator that the scale of this threat has increased is devices attempting to open telnet sessions with other IoT devices. Because telnet is unencrypted, it’s favored by attackers – or their botnets – as a way to probe for user credentials.
At its peak, in mid-March 2020, nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week.
Cybercriminals are competing with each other
This trend is concerning for several reasons. Cybercriminals are competing with each other to compromise as many routers as possible so they can be conscripted into botnets. These are then sold on underground sites either to launch DDoS attacks, or as a way to anonymize other attacks such as click fraud, data theft and account takeover.
Competition is so fierce that criminals are known to uninstall any malware they find on targeted routers, booting off their rivals so they can claim complete control over the device.
For the home user, a compromised router is likely to suffer performance issues. If attacks are subsequently launched from that device, their IP address may also be blacklisted – possibly implicating them in criminal activity and potentially cutting them off from key parts of the internet, and even corporate networks.
As explained in the report, there’s a thriving black market in botnet malware and botnets-for-hire. Although any IoT device could be compromised and leveraged in a botnet, routers are of particular interest because they are easily accessible and directly connected to the internet.
Recommendations for home users
- Make sure you use a strong password. Change it from time to time.
- Make sure the router is running the latest firmware.
- Check logs to find behavior that doesn’t make sense for the network.
- Only allow logins to the router from the local network.
While organizations have slowly improved in their ability to plan for, detect and respond to cyberattacks over the past five years, their ability to contain an attack has declined by 13% during this same period, IBM reveals.
The global survey conducted by Ponemon Institute found that respondents’ security response efforts were hindered by the use of too many security tools, as well as a lack of specific playbooks for common attack types.
Lack of security response planning
While security response planning is slowly improving, 74% of organizations surveyed are still reporting that their plans are either ad-hoc, applied inconsistently, or that they have no plans at all.
This lack of planning can impact the cost of security incidents, as companies who that have incident response teams and extensively test their incident response plans spend an average of $1.2 million less on data breaches than those who have both of these cost-saving factors in place.
The key findings include:
- Slowly improving: More surveyed organizations have adopted formal, enterprise-wide security response plans over the past 5 years of the study; growing from 18% of respondents in 2015, to 26% in this year’s report (a 44% improvement.)
- Playbooks needed: Even amongst those with a formal security response plan, only one third (representing 17% of total respondents) had developed specific playbooks for common attack types – and plans for emerging attack methods like ransomware lagged even further behind.
- Complexity hinders response: The amount of security tools that an organization was using had a negative impact across multiple categories of the threat lifecycle amongst those surveyed. Organizations using 50+ security tools ranked themselves 8% lower in their ability to detect, and 7% lower in their ability to respond to an attack, than those respondents with less tools.
- Better planning, less disruption: Companies with formal security response efforts applied across the business were less likely to experience significant disruption as the result of a cyberattack; over the past two years, only 39% of these companies experienced a disruptive security incident, compared to 62% of those with less formal/consistent plans.
“While more organizations are taking incident response planning seriously, preparing for cyberattacks isn’t a one and done activity,” said Wendi Whitmore, Vice President of IBM X-Force Threat Intelligence.
“Organizations must also focus on testing, practicing and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help overcome complexity challenges and speed the time it takes to contain an incident.”
Updating playbooks for emerging threats
The survey found that even amongst organizations with a formal cybersecurity incident response plan (CSIRP), only 33% had playbooks in place for specific types of attacks.
Since different breeds of attack require unique response techniques, having pre-defined playbooks provides organizations with consistent and repeatable action plans for the most common attacks they are likely to face.
Amongst the minority of responding organizations who do have attack-specific playbooks, the most common playbooks are for DDoS attacks (64%) and malware (57%). While these methods have historically been top issues for the enterprise, additional attack methods such as ransomware are on the rise.
While ransomware attacks have spiked nearly 70% in recent years, only 45% of those in the survey using playbooks had designated plans for ransomware attacks.
Additionally, 52% of those with security response plans said they have never reviewed or have no set time period for reviewing/testing those plans. With business operations changing rapidly due to an increasingly remote workforce, and new attack techniques constantly being introduced, this data suggests that surveyed businesses may be relying on outdated response plans which don’t reflect the current threat and business landscape.
More tools led to worse response capabilities
The report also found that complexity is negatively impacting incident response capabilities. Those surveyed estimated their organization was using more than 45 different security tools on average, and that each incident they responded to required coordination across around 19 tools on average.
However, the study also found that an over-abundance of tools may actually hinder organizations ability to handle attacks. In the survey, those using more than 50 tools ranked themselves 8% lower in their ability to detect an attack (5.83/10 vs. 6.66/10), and around 7% lower when it comes to responding to an attack (5.95/10 vs. 6.72/10).
These findings suggest that adopting more tools didn’t necessarily improve security response efforts – in fact, it may have done the opposite. The use of open, interoperable platforms as well as automation technologies can help reduce the complexity of responding across disconnected tools.
Amongst high performing organizations in the report, 63% said the use of interoperable tools helped them improve their response to cyberattacks.
Security response efforts: Better planning pays off
This year’s report suggests that surveyed organizations who invested in formal planning were more successful in responding to incidents. Amongst respondents with a CSIRP applied consistently across the business, only 39% experienced an incident that resulted in a significant disruption to the organization within the past two years – compared to 62% of those who didn’t have a formal plan in place.
Looking at specific reasons that these organizations cited for their ability to respond to attacks, security workforce skills were found to be a top factor. 61% of those surveyed attributed hiring skilled employees as a top reason for becoming more resilient; amongst those who said their resiliency did not improve, 41% cited the lack of skilled employees as the top reason.
Technology was another differentiator that helped organizations become more cyber resilient, especially when it comes to tools that helped them resolve complexity.
Looking at organizations with higher levels of cyber resilience, the top two factors cited for improving their level of cyber resilience were visibility into applications and data (57% selecting) and automation tools (55% selecting).
Overall, the data suggests that surveyed organizations that were more mature in their response preparedness relied more heavily on technology innovations to become more resilient.
DDoS traffic capitalizes on remote working connectivity reliance to disrupt service provider targets
In the first quarter of 2020, DDoS attacks rose more than 278% compared to Q1 2019 and more than 542% compared to the last quarter, according to Nexusguard.
Working from home as the new norm
Researchers attribute the sharp rise in incidents to malicious efforts during the COVID-19 pandemic, causing DDoS attacks to interrupt service for large companies and individuals alike. ISPs face increasing challenges to curb undetectable and abnormal traffic before they turn into uncontrollable reflection attacks.
In an effort to curb the spread of COVID-19, working from home has become the new norm and household internet connectivity is more important than ever. This heavy reliance on online services has given rise to a trend of attacks meant to overwhelm ISPs.
Abnormal traffic patterns identified
In addition to traditional DDoS attacks, during Q1 2020 researchers identified various abnormal traffic patterns, including small-sized, short attacks dubbed “invisible killers.” These types of attacks are often overlooked by ISPs, which gives the invisible anomalies access to website and online services networks to cause havoc.
“We believe the small ‘invisible killer’ attacks are not isolated cases, but ongoing trends which can no longer be dismissed at the risk of internet network infrastructure suffering a deluge of attacks,” said Juniman Kasman, CTO for Nexusguard.
“It’s imperative that internet service providers take the initiative to address any suspicious traffic—irrespective of size or quantity—to ensure customers don’t experience outages from DDoS attacks.”
Findings also showed that bits-and-pieces attacks continue to infiltrate traditional threshold-based detection. These attacks result from drip-feeding doses of junk traffic into a large IP pool, which can clog the target when bits and pieces start to accumulate from different IPs.
According to the report, 90% of attacks employed a single-vector approach, which is a change from the popularity of multi-vector attacks in the past.
There are growing concerns around the number of businesses vulnerable to cyberattacks due to hackers’ ability to bypass their Web Application Firewall (WAF), Neustar reveals.
Cyberattacks bypass the WAF
49% of security professionals reported more than a quarter of attempts to sidestep their WAF protocols had been successful in the last 12 months. In addition, as many as four in ten respondents disclosed that 50% or more of attacks had managed to get around their application layer firewall.
These findings come at a pivotal time, as organizations continue to adapt their security strategies to cope with the increase in malicious web activity associated with COVID-19.
29% of respondents admitted they had found it difficult to alter their WAF policies to guard against new web application attacks, while just 15% said they had found the process very easy.
No fully integrated WAF
Despite many having already been on the receiving end of a successful web-application attack, 39% of respondents declared they do not have a WAF that is fully integrated into other security functions; a technique that is critical in developing a holistic defense against a variety of attack types. Three in ten also claimed that half of network requests have been labelled as false positives by their WAF in the last year.
“As members of the public, we have witnessed the steady and significant growth of volumetric DDoS attacks, fake domains, malicious malware and harmful misinformation. However, while these may be the security concerns capturing headlines, those within the community have also seen the unsettling rise in application-layer attacks,” said Rodney Joffe, Senior VP and Fellow at Neustar.
“Often unleashing destruction before they are even recognized, these attacks are equally as damaging, targeting specific vulnerabilities to cause a multitude of complications for those on the receiving end.”
“Due to their ‘under-the-radar’ nature, application-layer attacks are difficult to detect and therefore require a security posture that is always-on in order to be identified and mitigated. Only by providing protection across the entire network can organizations respond to the type of threats we are seeing today.
“For full-protection that doesn’t hinder business performance or add unnecessary complexities, organizations should opt for a cloud-based WAF, underpinned by curated, actionable threat data.
“Not only is this approach guaranteed to safeguard against the most common web threats, it also delivers visibility into application traffic, no matter where the applications themselves are hosted,” added Joffe.
DDoS attacks and system compromise ranked as the greatest concerns
There has also been a steep 12-point increase on the International Cyber Benchmarks Index year-on-year. Calculated based on the changing level of threat and impact of cyberattacks, the Index has maintained an upward trend since May 2017.
During March – April 2020, DDoS attacks and system compromise were ranked as the greatest concerns for security professionals (both 21%), followed by ransomware (17%) and intellectual property (16%). To date, 68% of enterprises surveyed indicated that they had been on the receiving end of a DDoS attack at any given time, up 3% on previous reports.
There were seven major application DDoS attacks over the previous month — two of which lasted 5-6 days, Imperva reveals.
Additionally, the team found that 47% of account takeover (ATO) attacks were aimed at loyalty programs and streaming services, where bad actors attempted to use stolen credentials to gain unauthorized access to online accounts to carry out malicious actions such as data theft, identity fraud or fraudulent e-commerce transactions.
The report also showed continued signs of site traffic recovery across various industries following the lift in shelter-in-place orders, as schools across the world reopened and employees returned to workplaces.
Increasing length of application DDoS attacks
Seven major application DDoS attacks over 150,000 requests per second (RPS) were identified. Two of the attacks lasted five and six days consecutively — an unusual occurrence, as most (70% of those in May) DDoS attacks typically last less than 24 hours.
Additionally, while the average DDoS event in April originated from 300 IPs, these two major events were from 28,000 and 3,000 unique IPs. Additionally:
- The most targeted industries overall were news (38%), business (25%) and financial services (19%).
- Top countries from which DDoS attacks originate are China (26%), US (15%) and the Philippines (7%).
ATO attacks are focused at loyalty program cards and streaming services
Out of the total ATO attacks, 47% were aimed at loyalty programs and streaming services. In one example, 13.5 million ATO attempts were registered over three days.
Across all ATO attacks, the average attack size per site was about 100,000 attempts, distributed over 2,000 IPs on average. This means that each IP sent no more than two requests per day, classifying as a “low and slow” attack — where a botnet uses multiple devices, each sending only a handful of requests, to masquerade its attack with legitimate traffic.
COVID-19 affects cyber traffic and attack trends, while recovery continues
As the coronavirus crisis escalated, changes in traffic and attack trends across multiple industries and countries were previously examined. In May, as more countries reopened schools and less students were at home, overall traffic to education sites went down by 20%.
Additionally, with many returning to work and spending more time commuting, the use of entertainment sites — specifically radio streaming services — increased by 11% overall.
Cloud platforms and automated tools: The main source of attacks against govt sites
Cloud platforms and automated tools are the main source of attacks against government sites in the United States. A total of 65% of the attacks against law and government sites in the US originated from cloud platforms using automated tools written in the Python programming language.
Database vulnerabilities spike
Ten new database vulnerabilities were published in May, and almost half held a high severity score of greater than seven, with one reaching a critical score of greater than nine per the Common Vulnerability Scoring System (CVSS). Most of the vulnerabilities were published on May 12, 2020 as part of SAP Security Patch Day.
Overall Cyber Threat Index score remains at a ‘high’ level
Although the number of attacks declined by 28%, the Cyber Threat Index score went up by 32 points due to more high- and medium-risk vulnerabilities and an increase in high volume and longer duration DDoS attacks.
“In May, we were surprised to find two unusually long DDoS attacks lasting 5-6 days. As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact,” said Nadav Avital, head of security research at Imperva.
“For example, in Imperva’s 2019 Global DDoS Threat Landscape Report, we found that about 29% of attacks lasted 1-6 hours while 26% lasted less than 10 minutes. Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults.”
There has been a shift in internet traffic patterns coinciding with an increase in DDoS and other types of network attacks in recent months as organizations across industries quickly transitioned to remote workforces and individuals under stay-at-home orders began relying on the internet more heavily, according to Neustar.
Growing reliance on the internet
The pandemic effect was clear in traffic to specific websites, such as the 250% increase in queries for a popular collaboration platform as lockdowns commenced and the sharp rise in traffic to the website of a N95 masks manufacturer.
A noticeable rise in traffic was noticed in mid-March correlating with the dates that schools and organizations began to implement isolation policies, and query numbers continued to rise afterward, with a sharp uptick about a month after isolation policies had begun to take hold.
There was a 14% increase in DNS query volumes between March 1 and May 3, as the full impact of the pandemic set in around the world.
Of course, not all industries have been affected equally. As might be expected, queries to retail companies and streaming services saw a large increase during the one-month period coinciding with the beginning of stay-at-home orders, while the travel industry saw decline initially but appears to be recovering.
Traffic patterns and increasing attacks
Concurrent with these changes in traffic patterns, there was dramatic rise in DDoS and other attacks across virtually every metric measured, including increases in the overall number of attacks; attack severity, which considers the volume of attack (measured in tera- or gigabits per second, which congests bandwidth); and attack intensity (measured in millions of packets per second, which targets infrastructure).
“It’s no surprise that in this massive and unplanned shift of the global workforce now suddenly being reliant on home internet and corporate VPN connectivity, bad actors and cyber criminals would seek to take advantage of emerging network vulnerabilities,” said Brian McCann, President of Security Solutions at Neustar.
“Whereas it could take years for a business to build and execute on a plan to support a remote workforce, every organization suddenly had to implement one immediately.”
The DNS hijacking threat
While many DDoS and other types of attacks focus on corporate assets, there has also been an increase in DNS hijacking, a technique in which DNS settings are changed to redirect the user to a website that might look legitimate but often contains malware disguised as something useful.
“Combined with the growing number of threats against the internet’s DNS infrastructure, the unexpected need to support a fully distributed workforce often exposes new vulnerabilities that are difficult for organizations to guard against, underscoring the importance of having effective cybersecurity measures like always-on DDoS protection services in place to ensure operational continuity,” added McCann.
A vulnerability (CVE-2020-12695) in Universal Plug and Play (UPnP), which is implemented in billions of networked and IoT devices – personal computers, printers, mobile devices, routers, gaming consoles, Wi-Fi access points, and so on – may allow unauthenticated, remote attackers to exfiltrate data, scan internal networks or make the devices participate in DDoS attacks.
UPnP is a set of networking protocols that allows networked devices to automatically discover and interact with each other when on the same network.
UPnP is intended primarily for residential and SOHO wireless networks. It is designed to be used in a trusted local area network (LAN) and so the protocol does not implement any form of authentication or verification. That’s one of the reasons why some UPnP devices are shipped with the protocol turned off by default and it’s on administrators to enable it, if needed.
The development of the UPnP protocol is managed by the Open Connectivity Foundation (OCF), a standards organization whose goal is to promote the interoperability of connected devices.
About the vulnerability (CVE-2020-12695)
CVE-2020-12695 (aka “CallStranger”) was discovered by security researcher Yunus Çadırcı and privately reported to the OFC in late 2019.
“The vulnerability (…) is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices,” Çadırcı explained.
More technical details are available here but, in short, the vulnerability can be used to bypass DLP and network security devices to exfiltrate data, scan internal ports, and force millions of Internet-facing UPnP devices to become a source of amplified reflected TCP DDoS.
The Open Connectivity Foundation fixed the vulnerability and updated the UPnP specification on April 17, 2020. They also contacted some affected vendors (those included in Çadırcı’s report).
A Shodan search shows that there are around 5,5 million Internet-facing devices with UPnP enabled out there.
Among the confirmed vulnerable devices are computers running Windows 10, Xbox One, Belkin WeMo home automation devices, printers manufactured by Canon, HP and Epson, Samsung smart TVs, routers and modems manufactured by Broadcom, Cisco, D-Link, Huawei, Zyxel, and more.
CMU’s Software Engineering Institute has also published a vulnerability note for CVE-2020-12695 and will be updating it to list affected devices and links to available patches. They’ve also noted that, in general, making UPnP available over the Internet should be avoided.
“Device manufacturers are urged to disable the UPnP SUBSCRIBE capability in their default configuration and to require users to explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network,” they advised.
“Vendors are urged to implement the updated specification provided by the OCF. Users should monitor vendor support channels for updates that implement the new SUBSCRIBE specification.”
Çadırcı noted that because CallStranger is a protocol vulnerability, it may take a long time for vendors to provide patches.
“Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source,” he added.
He advised enterprises to check whether devices they use are vulnerable and provided a script that can help them do that, as well as laid out several mitigation actions they can perform.
“We see data exfiltration as the biggest risk of CallStranger. Checking logs is critical if any threat actor used this in the past,” he noted. “Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet-exposed UPnP devices so we don’t expect to see port scanning from Internet to Intranet but Intranet to Intranet may be an issue.”
Trust has eroded among criminal interactions, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, Trend Micro reveals.
Popular underground goods and services
The report reveals that determined efforts by law enforcement appear to be having an impact on the cybercrime underground. Several forums have been taken down by global police entities, and remaining forums experience persistent DDoS attacks and log-in problems impacting their usefulness.
Trends for cybercrime products and services
The report also illustrates the changing market trends for cybercrime products and services since 2015. Commoditization has driven prices down for many items. For example, crypting services fell from $1,000 to just $20 per month, while the price of generic botnets dropped from $200 to $5 per day.
Pricing for other items, including ransomware, Remote Access Trojans (RATs), online account credentials and spam services, remained stable, which indicates continued demand.
However, there has been a high demand for other services, such as IoT botnets, with new undetected malware variants selling for as much as $5,000. Also popular are fake news and cyber-propaganda services, with voter databases selling for hundreds of dollars, and gaming accounts for games like Fortnite can fetch around $1,000 on average.
Other underground market trends
Other notable findings include the emergence of markets for:
- Deepfake services for sextortion or to bypass photo verification requirements on some sites.
- AI-based gambling bots designed to predict dice roll patterns and crack complex Roblox CAPTCHA.
- Access-as-a-Service to hacked devices and corporate networks. Prices for Fortune 500 companies can reach up to US$10,000 and some services include access with read and write privileges.
- Wearable device accounts where access could enable cybercriminals to run warranty scams by requesting replacement devices.
Underground market trends will likely shift further in the months following the global COVID-19 pandemic, as attack opportunities continue to evolve. To protect against the ever-changing threat landscape, it is recommended to implement a multi-layered defense approach to protect against the latest threats and mitigate corporate security risk.
The monthly report also revealed that the Cyber Threat Index remains at a ‘high’ level and the financial services sector has been suffering the most from cross-scripting site (XSS) attacks, and a continued increase in attacks from cloud services.
Amid COVID-19, web traffic and attack trends were affected
During the month of March, changes in traffic and attack trends were tracked across multiple industries and countries as the coronavirus pandemic escalated.
The March findings indicated that the food and beverage industry experienced more website attacks globally (+6%), especially in Germany (+125%). There were more attacks on the financial industry both globally (+3%) and in specific countries like Italy (+44%), UK (+21%), and Spain (+18%).
CTI remains at a ‘high’ level
In March, a balancing effect took place as some industries (news and retail) saw increases in both traffic and attacks, while others (travel and sports) saw less traffic and attacks. Due to this variation between industries, the global index remains consistent and, while the score didn’t increase, the risks remain high.
Financial services suffer the most from XSS attacks
Cross-site-scripting attacks, a type of malicious script injection, were the most dominant attack vector (32%) for sites in the financial services sector. This may be because taking over web sessions in financial sites is extremely profitable for hackers, or because of the high regulation on these sites and the frequent risk assessment and penetration tests being conducted.
Network DDoS peaked at 279 GBPS
Aimed at a domain name registrar and web hosting company in the U.S., Imperva registered a network DDoS attack that peaked at 279 GBPS which is 37% higher than the average network DDoS attack in the last three months.
Attacks from cloud services increased
As attacks from anonymization platforms declined, attacks from cloud services increased. Imperva observed a 23% decline in attacks from anonymity frameworks like TOR, VPNs, and masking proxies. This can be explained by the simultaneous 10% growth in attacks coming from different cloud services, which provide a partial anonymity.
U.S. govt and law sector attacks compared to those in France
Attacks against the government and law sector in the U.S. declined, compared to an increase in France. France’s first local election round was accompanied by a 12% increase in attacks on law and government websites, while the U.S. experienced a 5% decline in attacks during the month of March.
The volume and complexity of attacks continued to grow in the first quarter of 2020, according to Link11.
There has been an increasing number of high-volume attacks in Q1 2020, with 51 attacks over 50 Gbps. The average bandwidth of attacks also rose, reaching 5,0 Gbps versus 4,3 Gbps in the same quarter in 2019.
- Maximum bandwidth nearly doubles: In Q1 2020, the maximum bandwidth nearly doubled in comparison to the previous year; the biggest attack stopped was 406 Gbps. In Q1 2019 the maximum bandwidth peaked at 224 Gbps.
- Complex multi-vector attacks rising: The share of multi-vector attacks rose to 64% in Q1 2020 up from 47% in Q1 2019. 66% of all multi-vector attacks combined 2 – 3 vectors. More importantly, there were 19 attacks that used 10 or more different DDoS vectors, compared to no reported attacks of this scale in 2019.
- Most frequently misused DDoS vectors: The most frequently used DDoS vectors in Q1 2020 were DNS Reflection, CLDAP, NTP and WS-Discovery.
- DDoS attackers increasingly abuse public cloud services: Nearly the half of all DDoS attacks (47%) in Q1 2020 used public cloud server-based botnets, compared to 31% in the previous year.
- APIs and applications under attack: As companies build new applications and services from multiple sources using APIs, they are becoming increasingly vulnerable to Layer 7 attacks, which are typically ‘low and slow’ compared to network layer attacks.
Marc Wilczek, COO of Link11 said: “The threat landscape is changing as a result of the COVID-19 outbreak. With more people working remotely, there is a greater emphasis on virtual networks which need to be accessible from multiple locations.
“This is creating the perfect scenario for DDoS attackers to overwhelm networks and cause serious disruption. To address this, organizations need to be more proactive in their approach to DDoS protection, in order to respond to these ever-evolving threats.”
The coronavirus pandemic is upending everything we know. As the tally of infected people grows by the hour, global healthcare, economic, political, and social systems are bending and breaking under the strain, and for much of the world there’s no end in sight. But amid this massive wave of disruption, one thing hasn’t changed: the eagerness of cybercriminals to capitalize on society’s misfortune and uncertainty to sabotage, cripple, mislead and steal.
New states of emergency are being declared every day as the virus keeps spreading. Confirmed cases have meanwhile been reported in more than 150 countries on six different continents. Nations and organizations everywhere are working around the clock to flatten the COVID-19 curve by imposing remote work policies, travel bans, and self-isolation.
In an unprecedented time like this, the reliance on the Internet is growing exponentially, turning the data highway into an even more indispensable channel for communication, information sharing, commerce, and everyday social interaction.
The Internet lifeline
To prevent their phone lines from being overwhelmed with information requests, governments around the globe are making digital the default communication stream and directing citizens to the official websites of their health ministries or public health agencies for COVID-19 updates. People are hitting Facebook and other social media like never before to keep up with and share the latest news. Telecom giant Vodafone has reported a 50% surge in European internet use, and Netflix has been requested to cut its bitrate in Europe for 30 days in order to prevent the Internet from collapsing.
In this context, a cyberattack that denies organizations or families access to their devices or data could be catastrophic. In a worst-case scenario, one or more cyberattacks could cause broad-based infrastructure shutdowns that take whole communities or cities offline and further hinder already overburdened healthcare providers, transportation systems and networks.
Germany, Italy and Spain are among the many countries and jurisdictions (like New York and California) that have implemented draconian measures to limit the spread of the COVID-19 virus. Non-essential businesses have been made to close, and people to stay at home. Consequently, citizens are relying heavily on delivery services, which continue to operate. However, in Germany, cybercriminals recently unleashed a DDoS attack on one of the largest home delivery platforms, which affected customers and owners of more than 15,000 restaurants across the country. The criminals asked for two bitcoins (worth roughly $11,000) to stop the siege.
A few days earlier, the U.S. Department of Health and Human Services (HHS) suffered a DDoS attack, assumed to have been launched by a hostile foreign actor, aimed at slowing down the agency’s services amid the government’s rollout of a response to coronavirus. The incident allegedly tried to overload HHS servers with millions of hits in just hours. The attack in the US occurred just two weeks after Australia’s federal cyber agency warned that Australian banks were in the crosshairs of extensive DDoS extortion campaigns.
Especially digitally-advanced industries with a heavy dependence on internet connectivity are more vulnerable than ever. Europol’s “Internet Organised Crime Threat Assessment 2019” report notes that – besides the public sector and financial institutions – travel agents, Internet infrastructure, e-commerce, and online gaming services were lucrative targets for DDoS extortionists.
The perils of DDoS attacks on VPN servers
When it comes to remote work, VPN servers turn into bottlenecks. Keeping them secure and available is a number-one IT priority. Hackers can launch DDoS campaigns on VPN services and deplete their resources, knocking out the VPN server and limiting its availability. The implications are clear: Since the VPN server is the gateway to a company’s internal network, an outage can keep all employees working remotely from doing their job, effectively cutting off the entire organization from the outside world.
During an unprecedented time of peak traffic, the risk of a DDoS attack is growing exponentially. If the utilization of the available bandwidth is very high, it does not take much to cause an outage. In fact, even a tiny attack can become the last nail in the coffin. For instance, a VPN server or firewall can be taken down by a TCP blend attack with an attack volume as low as 1 Mbps. SSL-based VPNs are just as vulnerable to an SSL flood attack, as are web servers.
Making matters worse, many organizations either use in-house hardware appliances or rely on their Internet carrier to ward off incoming attacks. These deployment models tend to run with low levels of automation, requiring human intervention of some sort to operate. If someone or something throws a digital wrench into the system, fixing the problem remotely will be an uphill battle if there are few or no IT staff on-site. Since these deployment models typically require 10 or even 20 minutes before they even detect an incident, any attack will almost inevitably cause a major outage.
APIs and web apps broaden the attack surface
The Application Programming Interface (API) is a key part of every cloud service or web app. APIs enable service integration and interoperability – by, for instance, enabling any given app to process a payment from PayPal or a client’s credit account in order to complete the transaction. But they can also turn into single point of failure that expose companies to a wide variety of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a potentially devastating chain reaction.
Guarding against or managing application layer attacks – such as an HTTP/HTTPS flood – is especially difficult, as the malicious traffic is hard to distinguish from regular traffic. Layer-7 attacks are in that sense highly effective, as they require little bandwidth to create a blackout.
Cybercrime exploits anxiety
Cybercriminals take advantage of human foibles to break through systemic defenses. In a crisis, especially if prolonged, IT people run the risk of making mistakes they would not have made otherwise. Attackers might cut off system administrators from their own servers while they run virtually rampant through the company network, steal proprietary data, or ingest ransomware. Any downtime can alienate customers, erode trust and cause negative publicity, even anxiety.
Organizations should remain vigilant and prepare for attacks in advance, before they occur, as this sort of incident can be very difficult to respond to once the attack unfolds. Companies should also continue to opt for cloud services to take advantage of scalability, and higher bandwidth to maintain redundancy. Most importantly, during times of remote work and self-isolation, radical security automation is more important than ever in order to ensure an instant response and get human error out of the equation.