Trust has eroded among criminal interactions, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, Trend Micro reveals.
Popular underground goods and services
The report reveals that determined efforts by law enforcement appear to be having an impact on the cybercrime underground. Several forums have been taken down by global police entities, and remaining forums experience persistent DDoS attacks and log-in problems impacting their usefulness.
Trends for cybercrime products and services
The report also illustrates the changing market trends for cybercrime products and services since 2015. Commoditization has driven prices down for many items. For example, crypting services fell from $1,000 to just $20 per month, while the price of generic botnets dropped from $200 to $5 per day.
Pricing for other items, including ransomware, Remote Access Trojans (RATs), online account credentials and spam services, remained stable, which indicates continued demand.
However, there has been a high demand for other services, such as IoT botnets, with new undetected malware variants selling for as much as $5,000. Also popular are fake news and cyber-propaganda services, with voter databases selling for hundreds of dollars, and gaming accounts for games like Fortnite can fetch around $1,000 on average.
Other underground market trends
Other notable findings include the emergence of markets for:
- Deepfake services for sextortion or to bypass photo verification requirements on some sites.
- AI-based gambling bots designed to predict dice roll patterns and crack complex Roblox CAPTCHA.
- Access-as-a-Service to hacked devices and corporate networks. Prices for Fortune 500 companies can reach up to US$10,000 and some services include access with read and write privileges.
- Wearable device accounts where access could enable cybercriminals to run warranty scams by requesting replacement devices.
Underground market trends will likely shift further in the months following the global COVID-19 pandemic, as attack opportunities continue to evolve. To protect against the ever-changing threat landscape, it is recommended to implement a multi-layered defense approach to protect against the latest threats and mitigate corporate security risk.
The monthly report also revealed that the Cyber Threat Index remains at a ‘high’ level and the financial services sector has been suffering the most from cross-scripting site (XSS) attacks, and a continued increase in attacks from cloud services.
Amid COVID-19, web traffic and attack trends were affected
During the month of March, changes in traffic and attack trends were tracked across multiple industries and countries as the coronavirus pandemic escalated.
The March findings indicated that the food and beverage industry experienced more website attacks globally (+6%), especially in Germany (+125%). There were more attacks on the financial industry both globally (+3%) and in specific countries like Italy (+44%), UK (+21%), and Spain (+18%).
CTI remains at a ‘high’ level
In March, a balancing effect took place as some industries (news and retail) saw increases in both traffic and attacks, while others (travel and sports) saw less traffic and attacks. Due to this variation between industries, the global index remains consistent and, while the score didn’t increase, the risks remain high.
Financial services suffer the most from XSS attacks
Cross-site-scripting attacks, a type of malicious script injection, were the most dominant attack vector (32%) for sites in the financial services sector. This may be because taking over web sessions in financial sites is extremely profitable for hackers, or because of the high regulation on these sites and the frequent risk assessment and penetration tests being conducted.
Network DDoS peaked at 279 GBPS
Aimed at a domain name registrar and web hosting company in the U.S., Imperva registered a network DDoS attack that peaked at 279 GBPS which is 37% higher than the average network DDoS attack in the last three months.
Attacks from cloud services increased
As attacks from anonymization platforms declined, attacks from cloud services increased. Imperva observed a 23% decline in attacks from anonymity frameworks like TOR, VPNs, and masking proxies. This can be explained by the simultaneous 10% growth in attacks coming from different cloud services, which provide a partial anonymity.
U.S. govt and law sector attacks compared to those in France
Attacks against the government and law sector in the U.S. declined, compared to an increase in France. France’s first local election round was accompanied by a 12% increase in attacks on law and government websites, while the U.S. experienced a 5% decline in attacks during the month of March.
The volume and complexity of attacks continued to grow in the first quarter of 2020, according to Link11.
There has been an increasing number of high-volume attacks in Q1 2020, with 51 attacks over 50 Gbps. The average bandwidth of attacks also rose, reaching 5,0 Gbps versus 4,3 Gbps in the same quarter in 2019.
- Maximum bandwidth nearly doubles: In Q1 2020, the maximum bandwidth nearly doubled in comparison to the previous year; the biggest attack stopped was 406 Gbps. In Q1 2019 the maximum bandwidth peaked at 224 Gbps.
- Complex multi-vector attacks rising: The share of multi-vector attacks rose to 64% in Q1 2020 up from 47% in Q1 2019. 66% of all multi-vector attacks combined 2 – 3 vectors. More importantly, there were 19 attacks that used 10 or more different DDoS vectors, compared to no reported attacks of this scale in 2019.
- Most frequently misused DDoS vectors: The most frequently used DDoS vectors in Q1 2020 were DNS Reflection, CLDAP, NTP and WS-Discovery.
- DDoS attackers increasingly abuse public cloud services: Nearly the half of all DDoS attacks (47%) in Q1 2020 used public cloud server-based botnets, compared to 31% in the previous year.
- APIs and applications under attack: As companies build new applications and services from multiple sources using APIs, they are becoming increasingly vulnerable to Layer 7 attacks, which are typically ‘low and slow’ compared to network layer attacks.
Marc Wilczek, COO of Link11 said: “The threat landscape is changing as a result of the COVID-19 outbreak. With more people working remotely, there is a greater emphasis on virtual networks which need to be accessible from multiple locations.
“This is creating the perfect scenario for DDoS attackers to overwhelm networks and cause serious disruption. To address this, organizations need to be more proactive in their approach to DDoS protection, in order to respond to these ever-evolving threats.”
The coronavirus pandemic is upending everything we know. As the tally of infected people grows by the hour, global healthcare, economic, political, and social systems are bending and breaking under the strain, and for much of the world there’s no end in sight. But amid this massive wave of disruption, one thing hasn’t changed: the eagerness of cybercriminals to capitalize on society’s misfortune and uncertainty to sabotage, cripple, mislead and steal.
New states of emergency are being declared every day as the virus keeps spreading. Confirmed cases have meanwhile been reported in more than 150 countries on six different continents. Nations and organizations everywhere are working around the clock to flatten the COVID-19 curve by imposing remote work policies, travel bans, and self-isolation.
In an unprecedented time like this, the reliance on the Internet is growing exponentially, turning the data highway into an even more indispensable channel for communication, information sharing, commerce, and everyday social interaction.
The Internet lifeline
To prevent their phone lines from being overwhelmed with information requests, governments around the globe are making digital the default communication stream and directing citizens to the official websites of their health ministries or public health agencies for COVID-19 updates. People are hitting Facebook and other social media like never before to keep up with and share the latest news. Telecom giant Vodafone has reported a 50% surge in European internet use, and Netflix has been requested to cut its bitrate in Europe for 30 days in order to prevent the Internet from collapsing.
In this context, a cyberattack that denies organizations or families access to their devices or data could be catastrophic. In a worst-case scenario, one or more cyberattacks could cause broad-based infrastructure shutdowns that take whole communities or cities offline and further hinder already overburdened healthcare providers, transportation systems and networks.
Germany, Italy and Spain are among the many countries and jurisdictions (like New York and California) that have implemented draconian measures to limit the spread of the COVID-19 virus. Non-essential businesses have been made to close, and people to stay at home. Consequently, citizens are relying heavily on delivery services, which continue to operate. However, in Germany, cybercriminals recently unleashed a DDoS attack on one of the largest home delivery platforms, which affected customers and owners of more than 15,000 restaurants across the country. The criminals asked for two bitcoins (worth roughly $11,000) to stop the siege.
A few days earlier, the U.S. Department of Health and Human Services (HHS) suffered a DDoS attack, assumed to have been launched by a hostile foreign actor, aimed at slowing down the agency’s services amid the government’s rollout of a response to coronavirus. The incident allegedly tried to overload HHS servers with millions of hits in just hours. The attack in the US occurred just two weeks after Australia’s federal cyber agency warned that Australian banks were in the crosshairs of extensive DDoS extortion campaigns.
Especially digitally-advanced industries with a heavy dependence on internet connectivity are more vulnerable than ever. Europol’s “Internet Organised Crime Threat Assessment 2019” report notes that – besides the public sector and financial institutions – travel agents, Internet infrastructure, e-commerce, and online gaming services were lucrative targets for DDoS extortionists.
The perils of DDoS attacks on VPN servers
When it comes to remote work, VPN servers turn into bottlenecks. Keeping them secure and available is a number-one IT priority. Hackers can launch DDoS campaigns on VPN services and deplete their resources, knocking out the VPN server and limiting its availability. The implications are clear: Since the VPN server is the gateway to a company’s internal network, an outage can keep all employees working remotely from doing their job, effectively cutting off the entire organization from the outside world.
During an unprecedented time of peak traffic, the risk of a DDoS attack is growing exponentially. If the utilization of the available bandwidth is very high, it does not take much to cause an outage. In fact, even a tiny attack can become the last nail in the coffin. For instance, a VPN server or firewall can be taken down by a TCP blend attack with an attack volume as low as 1 Mbps. SSL-based VPNs are just as vulnerable to an SSL flood attack, as are web servers.
Making matters worse, many organizations either use in-house hardware appliances or rely on their Internet carrier to ward off incoming attacks. These deployment models tend to run with low levels of automation, requiring human intervention of some sort to operate. If someone or something throws a digital wrench into the system, fixing the problem remotely will be an uphill battle if there are few or no IT staff on-site. Since these deployment models typically require 10 or even 20 minutes before they even detect an incident, any attack will almost inevitably cause a major outage.
APIs and web apps broaden the attack surface
The Application Programming Interface (API) is a key part of every cloud service or web app. APIs enable service integration and interoperability – by, for instance, enabling any given app to process a payment from PayPal or a client’s credit account in order to complete the transaction. But they can also turn into single point of failure that expose companies to a wide variety of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a potentially devastating chain reaction.
Guarding against or managing application layer attacks – such as an HTTP/HTTPS flood – is especially difficult, as the malicious traffic is hard to distinguish from regular traffic. Layer-7 attacks are in that sense highly effective, as they require little bandwidth to create a blackout.
Cybercrime exploits anxiety
Cybercriminals take advantage of human foibles to break through systemic defenses. In a crisis, especially if prolonged, IT people run the risk of making mistakes they would not have made otherwise. Attackers might cut off system administrators from their own servers while they run virtually rampant through the company network, steal proprietary data, or ingest ransomware. Any downtime can alienate customers, erode trust and cause negative publicity, even anxiety.
Organizations should remain vigilant and prepare for attacks in advance, before they occur, as this sort of incident can be very difficult to respond to once the attack unfolds. Companies should also continue to opt for cloud services to take advantage of scalability, and higher bandwidth to maintain redundancy. Most importantly, during times of remote work and self-isolation, radical security automation is more important than ever in order to ensure an instant response and get human error out of the equation.
There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to Neustar.
The company saw DDoS attacks across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019.
DDoS attacks increase, take varied forms
In 2019, the largest mitigated threat, at 587 gigabits per second (Gbps), was 31% larger than the largest attack of 2018, while the maximum attack intensity observed in 2019, 343 million packets per second (Mpps), was 252% higher than that of the most intense attack seen in 2018.
However, despite these higher peaks, the average attack size (12 Gbps) and intensity (3 Mpps) remained consistent year over year. The longest single, uninterrupted attack experienced in 2019 lasted three days, 13 hours and eight minutes.
Though the number of attacks increased significantly across all size categories, small-scale attacks (5 Gbps and below) again saw the largest growth in 2019, continuing the trend from the previous year.
The combination of DDoS-for-hire and botnet rental services has made DDoS attacks much easier to execute, but the fact that perpetrators seem to be in many cases choosing to engage in small-scale attacks suggests that their goal may often be something other than taking a site completely offline.
“Large, headline-making DDoS attacks do still take place, but many cybersecurity professionals believe that smaller attacks are being used simply to degrade site performance or as a smokescreen for other forms of cybercrime, such as data theft or network infiltration, which the perpetrator can execute more easily while the target’s security team is busy fighting a DDoS attack,” said Rodney Joffe, senior vice president, senior technologist and fellow at Neustar.
“Furthermore, with the current move of the bulk of the workforce globally to a work from home model, we expect to see a significant increase in DDoS attacks against VPN infrastructure. This risk makes an ‘always on’ DDoS mitigation service even more critical.”
In addition to conventional DDoS attacks, which seek to exhaust bandwidth, in 2019 there has also been an increase in network protocol or state exhaustion attacks, which target network infrastructure directly.
Volumetric attacks continued to proliferate as well, with attackers using new DDoS vectors such as Apple Remote Management Services, Web Services Dynamic Discovery, Ubiquiti Discovery Protocol and the Constrained Application Protocol.
Said Joffe, “During the shift to teleworking at scale, we would not be surprised to see the VPN protocol ports added to these targeted attacks.”
Two- and three-vector attacks ‘just right’ for attackers
In 2019, approximately 85% of all attacks used two or more threat vectors. That number is comparable to the 2018 figure; however, the number of attacks involving two or three vectors rose from 55% to 70%, with correspondingly fewer simple single-vector attacks and complex four- and five-vector attacks, suggesting that attackers have settled into the Goldilocks zone for attacks.
Security professionals continue to view DDoS attacks as a growing threat. According to the most recent survey, when asked which vectors they perceived to be increasing threats during November and December 2019, senior-level cybersecurity decision-makers cited social engineering via email most frequently (59%), followed by DDoS (58%) and ransomware (56%).
Web attacks increasing
2019 saw web attacks on the rise as well. Most companies recognize the danger that slow-loading websites pose to their business and attempt to protect them with web application firewalls. In the most recent survey, 98% of respondents agreed that a WAF was an essential component of their security infrastructure.
However, as more and more enterprises use multiple cloud providers, often involving a mix of public and private clouds, the need for consistent security across applications and platforms is growing.
“Web attacks can be difficult to track because some variation in the performance of websites is to be expected, but they are increasingly critical for businesses to address. One survey found 45% of consumers are less likely to make a purchase when they experience a slow loading website, and 37% are less likely to return to a retailer if they experience slow loading pages,” added Joffe.
A vendor-neutral cloud WAF, coupled with DDoS protection, can eliminate a large portion of threats, allowing enterprise application experts to focus their attention on the more specialized attacks.
Continuous updates from a reliable threat feed can also deliver information on bad IPs and botnet command and control (C&C) sites before they are able to damage the network.
More than two-fifths (43%) of organizations experience false positive alerts in more than 20% of cases, while 15% reported more than half of their security alerts are false positives. On average, respondents indicated 26% of alerts fielded by their organization are false positives, a Neustar repot reveals.
In response to growing cybersecurity threats, enterprises are investing significant resources in network monitoring and threat intelligence technologies that create more alerts – and more false positives – for security teams.
Security tools contributing to data overload and alert fatigue
The survey found two-fifths (39%) of organizations have seven or more tools in place that generate security alerts, and 21% reported using more than ten.
“Security tools that simply produce large quantities of data to be analyzed, without contextualizing potential threats, are contributing to data overload, alert fatigue and burnout,” said Rodney Joffe, chairman of NISC and SVP and Fellow at Neustar.
“Cybersecurity teams are increasingly drowning in data and are overwhelmed by the massive volume of alerts, many of them false positives. To ensure these high-value employees in mission critical roles are well-equipped to separate the signal from the noise, enterprises need a curated approach to security data that provides timely, actionable insights that are hyper relevant to their own organization and industry.”
Threats continuing their upward trajectory
The report indicates that threats are continuing their steady upward trajectory across vectors. The International Cyber Benchmarks Index, which reflects the overall state of the cybersecurity landscape, reached a new high of 29.8 in January 2020.
In November–December 2019, the surveyed security professionals ranked distributed denial of service attacks as their greatest concern (22%), followed by system compromise (20%) and ransomware and intellectual property theft (both 17%).
During the same period, social engineering via email was most likely to be perceived as an increasing threat to organizations (59%), followed by DDoS attacks (58%) and ransomware (56%).
Brno University Hospital, in Brno, Czech Republic, which is one of the country’s Covid-19 testing centers, has recently been hit by a cyberattack. The nature of the attack has yet to be shared, but looks like it might be ransomware. The result? Some surgeries have been postponed and some patients redirected to nearby hospitals.
On Sunday, the US Health and Human Services Department was hit by a distributed denial of service (DDoS) attack that, luckily, did not impact the agency’s operation in a meaningful way. Its website, which provides information to the US public about how to cope with the Covid-19 situation, was not affected by the attack.
By now, those hoping that cybercriminals would spare healthcare organizations from cyber attacks while the Covid-19 virus spreads across the world must have realized that there are always people who have no qualms about exploiting a bad situation for their own advantage.
Nothing’s changed, really
“We’d like to think that in a world where everyone is effectively in the same boat, a sense of togetherness, an unwritten code of conduct, or even a sense of morality would prevent bad actors from doing bad things – even if just temporarily. This obviously is not the case and if anything should serve as a reminder to organizations that one threat hasn’t been traded for another,” Adam Laub, CMO, Stealthbits, told Help Net Security.
“To the contrary, individuals and groups that prey on the weak will likely look to take advantage of this dire situation, causing more disruption to organizations already reeling from the financial distress, business disruption, and human resource nightmare the coronavirus pandemic has inflicted in just a short period of time,” he added.
“What’s particularly disturbing about this latest incident at the U.S. Health and Human Services Department is that the intent of the attack appears to be driven entirely by malice, seeking only to prevent the men and women trying desperately to protect millions of American citizens from harm from doing their jobs, as well as spread false information in order to generate more panic and uncertainty.”
Patients might end up bearing the brunt of successful cyber attacks but, Covid-19 or no Covid-19, the danger for healthcare organizations has effectively remained the same – only the stakes got higher.
Healthcare organizations must remain vigilant on all fronts
It is crucial for healthcare organizations and agencies not to ignore cybersecurity and data protection at this moment.
Nurses and other healthcare professionals are, according to Proofpoint, one of phishers’ preferred targets as they have access to all the data.
Generally, healthcare organizations share many weak links and attack surfaces as every other industry – phishing attacks on employees, cloud infrastructure and a remote workforce – but there are some challenges only they face, notes Sam Roguine, a director at Arcserve.
These include the security of medical devices, Wi-Fi access for patients (the patient Wi-Fi network should be fully isolated from the primary one) and, at the moment, shifting priorities driven by the Covid-19 outbreak.
“If the scenarios in Italy or China were to repeat in the United States, many hospitals will be in ‘Code Black,’ which is when the influx of patients is bigger than what hospital can handle. Hospitals will have to prioritize patient care, reducing the focus on everything else, including business continuity and disaster recovery (BCDR) and cybersecurity. This is a gap that hackers are going to leverage,” he noted.
Healthcare organizations must implement best-in-class centralized security with enhanced detection and response, review security practices, and include every aspect of the organization’s operations – not just obvious IT systems like servers, but also medical devices, employees wearables, cloud services, patient systems, and more, he says, and recommends them to follow the NIST Cybersecurity Framework for every aspect of their operations.
“CISOs must remain very vigilant. Cyberattacks can and will affect hospital operations, and the ability of healthcare organizations to cope with Covid-19 patients. When CISOs plan for scenarios like this one, cybersecurity, backup, disaster recovery and continuous availability technologies cannot be underestimated or placed on the backburner,” he concluded.
Despite a previous warning by Ben-Gurion University of the Negev (BGU) researchers, who exposed vulnerabilities in 911 systems due to DDoS attacks, the next generation of 911 systems that now accommodate text, images and video still have the same or more severe issues.
In the study the researchers evaluated the impact of DDoS attacks on the current (E911) and next generation 911 (NG911) infrastructures in North Carolina. The research was conducted by Dr. Mordechai Guri, head of research and development, BGU Cyber Security Research Center (CSRC), and chief scientist at Morphisec Technologies, and Dr. Yisroel Mirsky, senior cyber security researcher and project manager at the BGU CSRC.
Implementation of NG911
In recent years, organizations have experienced countless DDoS attacks, during which internet-connected devices are flooded with traffic – often generated by many computers or phones called “bots” that are infected by malware by a hacker and act in concert with each other. When an attacker ties up all the available connections with malicious traffic, no legitimate information – like calling 911 in a real emergency – can make it through.
“In this study, we found that only 6,000 bots are sufficient to significantly compromise the availability of a state’s 911 services and only 200,000 bots can jeopardize the entire United States,” Dr. Guri explains.
When telephone customers dial 911 on their landlines or mobile phones, the telephone companies’ systems make the connection to the appropriate call center. Due to the limitations of original E911, the U.S. has been slowly transitioning the older circuit-switched 911 infrastructure to a packet-switched VoIP infrastructure, NG911.
It improves reliability by enabling load balancing between emergency call centers or public safety answering points (PSAP). It also expands 911 service capabilities, enabling the public to call over VoIP, transmit text, images, video, and data to PSAPs.
A number of states have implemented this and nearly all other states have begun planning or have some localized implementation of NG911.
Prevention of possible future DDoS attacks targeting 911
Many internet companies have taken significant steps to safeguard against this sort of online attack. For example, Google Shield is a service that protects news sites from attacks by using Google’s massive network of internet servers to filter out attacking traffic, while allowing through only legitimate connections. However, phone companies have not done the same.
To demonstrate how DDoS attacks could affect 911 call systems, the researchers created a detailed simulation of North Carolina’s 911 infrastructure, and a general simulation of the entire U.S. emergency-call system.
Using only 6,000 infected phones, it is possible to effectively block 911 calls from 20% of the state’s landline callers, and half of the mobile customers. “In our simulation, even people who called back four or five times would not be able to reach a 911 operator to get help,” Dr. Guri says.
The countermeasures that exist today are difficult and not without flaws. Many involve blocking certain devices from calling 911, which carries the risk of preventing a legitimate call for help. But they indicate areas where further inquiry – and collaboration between researchers, telecommunications companies, regulators, and emergency personnel – could yield useful breakthroughs.
For example, cellphones might be required to run a monitoring software to blacklist or block themselves from making fraudulent 911 calls. Or 911 systems could examine identifying information of incoming calls and prioritize those made from phones that are not trying to mask themselves.
“Many say that the new NG911 solves the DDoS problem because callers can be connected to PSAPs around the country, not just locally,” Dr. Mirsky explains. “Nationally, with complete resource sharing, the rate that callers give up trying — called the ‘despair rate’ — is still significant: 15% with 6,000 bots and 43% with 50,000 bots.
“But the system would still need to communicate locally to dispatch police, medical and fire services. As a result, the despair rate is more likely to be 56% with 6,000 bots –worse than using the original E911 infrastructure.”
According to Dr. Guri, “We believe that this research will assist the respective organizations, lawmakers and security professionals in understanding the scope of this issue and aid in the prevention of possible future attacks on the 911 emergency services. It is critical that 911 services always be available – to respond quickly to emergencies and give the public peace of mind.”
From May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs, in an effort to bypass security controls. According to data from Akamai, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.
According to the report’s findings, from December 2017 through November 2019, 85,422,079,109 credential abuse attacks were observed. Nearly 20 percent, or 16,557,875,875, were against hostnames that were clearly identified as API endpoints. Of these, 473,518,955 attacked organizations in the financial services industry.
A mix of API targeting, and other methodologies
But not all attacks were exclusively API focused. On August 7, 2019, the single largest credential stuffing attack against a financial services firm was recorded, consisting of 55,141,782 malicious login attempts.
This attack was a mix of API targeting, and other methodologies. On August 25, in a separate incident, the criminals targeted APIs directly, in a run that consisted of more than 19 million credential abuse attacks.
“Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” said Steve Ragan, Akamai security researcher and principal author of the State of the Internet / Security report.
“Criminals targeting the financial services industry pay close attention to the defenses used by these organizations, and adjust their attack patterns accordingly.”
Criminals exposing data through different methods
Indicative of this fluid attack dynamic, the report shows that criminals continue to seek to expose data through a number of methods, in order to gain a stronger foothold on the server and ultimately achieve success in their attempts.
SQL Injection (SQLi) accounted for more than 72% of all attacks when looking at all verticals during the 24-month period observed by the report. That rate is halved to 36% when looking at financial services attacks alone. The top attack type against the financial services sector was Local File Inclusion (LFI), with 47% of observed traffic.
XSS was the third-most common type of attack against financial services, with a recorded 50.7 million attacks, or 7.7% of the observed attack traffic.
Criminals still leveraging DDoS attacks
The report also shows that criminals continue to leverage DDoS attacks as a core component of their attack arsenal, particularly as it relates to targeting financial services organizations.
Observations from November 2017 until October 2019, show the financial services industry ranking third in attack volume, with gaming and high tech being the most common targets. However, more than forty percent of the unique DDoS targets were in the financial services industry, which makes this sector the top target when considering unique victims.
“Security teams need to constantly consider policies, procedures, workflows, and business needs – all while fighting off attackers that are often well organized and well-funded,” Ragan concluded. “Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”
Netscout released the findings of its Threat Intelligence Report for the second half of 2019, which also incorporates insights from its 15th Annual Worldwide Infrastructure Security Report (WISR) survey.
The report underscores the proliferation of risks faced by global enterprises and service providers. These organizations must now not only defend IT infrastructures, but also manage risks caused by increased DDoS attacks on customer-facing services and applications, mobile networks, and unsecured IoT devices.
“We’ve uncovered some disturbing statistics,” stated Hardik Modi, AVP, engineering, threat and mitigation products, Netscout. “By weaponizing new attack vectors, leveraging mobile hotspots, and targeting compromised endpoint IoT devices, attackers are increasingly finding ways to infiltrate our internet-connected world. They are getting more sophisticated by using a minuscule portion of the available vulnerable devices to carry out a successful attack. The largest OpenVPN DDoS attack we observed used less than one percent of the available reflectors connected to the internet. Botmasters are waiting in the wings, since the risk will only increase in 2020 when an estimated 20.4 billion more devices are connected to the internet.”
Key findings from the report
- Attackers weaponized seven new UDP reflection/amplification vectors and combined variations of existing well-known attack vectors to launch pinpoint-focused DDoS attacks.
- Carpet-bombing tactics increased vertical sector attack activity; satellite telecommunications witnessed a 295% increase in attacks.
- Adversaries discovered how to use advanced reconnaissance to target client services at well-protected targets like ISPs and financial institutions to amplify attacks against specific enterprises and network operators.
- Wireless communications companies experienced a 64% increase in DDoS attack frequency from 2H 2018 to 2H 2019, mainly due to the increased tendency of gamers to use their phone services as wireless hotspots, as well as the popularity of gaming on mobile devices with 4G or LTE connectivity.
- Mirai-based variants dominated the second half of 2019 with a 57% increase targeting 17 system architectures; ASERT honeypots reflect this growth with an 87% increase in the number of exploit attempts.
- Service provider respondents to the WISR reported a 52% increase in DDoS attacks on publicly exposed service infrastructures compared to 38% the previous year.
A vulnerability (CVE-2020-2100) in 12,000+ internet-facing Jenkins servers can be abused to mount and amplify reflective DDoS attacks against internet hosts, Radware researchers have discovered.
The vulnerability can also be triggered by a single, spoofed UDP packet to launch DoS attacks against those same vulnerable Jenkins servers, by forcing them into an infinite loop of replies that can’t be stopped unless one of the servers is rebooted or has its Jenkins service restarted.
About the vulnerability (CVE-2020-2100)
CVE-2020-2100, discovered and responsibly disclosed by Adam Thorn from the University of Cambridge, is caused by a network discovery service (UDP multicast/broadcast) that is enabled by default and exposed in publicly facing servers.
“The vulnerability allows attackers to abuse Jenkins servers by reflecting UDP requests off port UDP/33848, resulting in an amplified DDoS attack containing Jenkins metadata. This is possible because Jenkins/Hudson servers do not properly monitor network traffic and are left open to discover other Jenkins/Hudson instances,” Radware researchers explained.
“An attacker can either send a UDP broadcast packet locally to 255.255.255.255:33848 or they could send a UDP multicast packet to JENKINS_REFLECTOR:33848. When a packet is received, regardless of the payload, Jenkins/Hudson will send an XML response of Jenkins metadata in a datagram to the requesting client, giving attackers the ability to abuse its UDP multicast/broadcast service to carry out DDoS attacks.”
The vulnerability was fixed in Jenkins 2.219 and LTS 2.204.2 two weeks ago by disabling Jenkins’ two network discovery services (UDP multicast/broadcast and DNS multicast) by default.
“Administrators that need these features can re-enable them again by setting the system property hudson.DNSMultiCast.disabled to false (for DNS multicast) or the system property hudson.udp to 33848, or another port (for UDP broadcast/multicast),” Jenkins developers explained in an advisory.
An alternative to disabling the UDP multicast/broadcast service is to add a firewall policy to block access to port UDP/33848.
“Much like was the case with memcached, people that design and develop on the open source Jenkins project assume that these servers will be internally facing,” Pascal Geenens, Cyber Security Evangelist for Radware, told Help Net Security.
Unfortunately, the reality is that many Jenkins servers end up being publicly exposed.
Radware scanned the internet for Jenkins servers vulnerable to CVE-2020-2100, and discovered nearly 13,000 of them distributed across the globe, but mostly in Asia, Europe and North America. Also, most of the exposed servers are located within the top service providers.
“Many DevOps teams depend upon Jenkins to build, test and continuously deploy their applications running in cloud and shared hosting environments such as Amazon, OVH, Hetzner, Host Europe, DigitalOcean, Linode, and many more,” Geenens noted.
Radware’s researchers determined the average bandwidth amplification factor for the Jenkins reflective amplification attack across all currently exposed servers: 3.00.
“Combined with over 12,000 exposed Jenkins servers globally, it creates a viable DDoS threat,” the researchers concluded.
Multivector and cloud computing attacks have been rising over the last twelve months, according to Link11. The share of multivector attacks – which target and misuse several protocols – grew significantly from 46% in the first quarter to 65% in the fourth quarter.
DNS amplification most popular for DDoS attackers
DNS amplification was the most used technique for DDoS attackers in 2019 having been found in one-third of all attacks. The attackers exploited insecure DNS servers, of which there were over 2.7m worldwide by the end of 2019, according to the Open Resolver Project.
Average attack bandwidth increases
The average bandwidth of attacks keeps increasing by more than 150% within four years, reaching 5 Gbps in 2019, up from 2 Gbps in 2016. The maximum attack volume has also nearly doubled compared to 2018; from 371 Gbps to 724 Gbps.
Attacks on corrupted cloud servers rising
The proportion of DDoS attacks that involved corrupted cloud servers was 45% between January and December; this is a 16% increase over the same time period the previous year. The proportion rose to 51% over the last six months of 2019.
The number of attacks traced to cloud providers was roughly proportionate to their relative market share, with more cases of corrupt clouds registered for AWS, Microsoft Azure and Google Cloud.
The longest DDoS attack lasted 6,459 minutes; more than 100 hours.
DDoS attacks concentrated around weekends and evenings
The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and between 4pm and midnight on weekdays.
There was also a number of new amplification vectors registered by the LSOC last year including WS–Discovery, Apple Remote Management Service and TCP amplification, with registered attacks for the latter doubling compared to the first six months of the year.
The LSOC also saw an increase in ‘carpet bombing’ attacks in the latter part of 2019, which involves a flood of individual attacks that simultaneously target an entire subnet or CIDR block with thousands of hosts.
This popular method spreads manipulated data traffic across multiple attacks and IPs. The data volume of each is so small that it stays under the radar and yet the combined bandwidth has the capacity of a large DDoS attack.
Marc Wilczek, COO of Link11 said: “There was a noticeable surge in attack bandwidths and volumes, and in multivector attacks in 2019, due in part to the increased malicious use of cloud resources and the popularity of IoT devices.
DNS amplification attacks continue to increase in number, growing 4,788% over Q3 2018, according to Nexusguard.
DNSSEC (Domain Name System Security Extensions) remains the main driver of growth of DNS amplification attacks in the quarter, yet analysts have detected a sharp and concerning rise in TCP SYN flood attacks.
TCP SYN flood is not a new method, but findings indicate that techniques have grown in sophistication and have emerged as the third most used attack vector, behind DNS amplification and HTTP flood attacks.
SYN flood attacks can impact innocent users
Cyberattackers have long favored DDoS attacks that amplify damage beyond the resources required, but suitable reflectors or amplifiers are not as widely available for DNS amplification and memcached reflection attacks. In contrast, any server with an open TCP port is an ideal attack vector, and such reflectors are widely available and easy to access to cause SYN flood reflection attacks.
Consequently, SYN flood reflection not only hits targeted victims, but also can impact innocent users, including individuals, businesses, and other organizations. These innocent victims end up having to process large volumes of spoofed requests and what appear to be legitimate replies from the attack target. As a result, bystanders can incur hefty fees for bandwidth consumed by junk traffic, or even suffer from secondary outages.
“Our research findings revealed that even plain-vanilla network attacks could be turned into complex, stealthy attacks leveraging advanced techniques, from the bit-and-piece attacks, also known as carpet bombing, we identified last year, to the emergence of Distributed Reflective DoS (DRDoS) attacks in the third quarter.
“Telcos and enterprises must take note while these tactics don’t cause notable strain on network bandwidth, which may go undetected, but that they are powerful enough to impact their service. Advanced mitigation techniques are required to address these threats,” said Juniman Kasman, CTO at Nexusguard.
Largest sources of traffic
Report findings also showed that 44% of Q3 attack traffic came from botnet-hijacked Windows OS computers and servers. The second largest source of traffic came from iOS-equipped mobile devices. The total number of attacks has mirrored patterns observed in 2019, with Q1 seeing the highest number attacks and numbers dropping over Q2 and Q3.
While attack volume has decreased since Q2 2019, levels grew more than 85% compared to the same quarter last year. More than half of all global attacks originated in China, Turkey or the United States.
The growth in both large- and small-scale DDoS attacks continues its upward trajectory, according to a report released by Neustar. The report reveals that the total number of DDoS attacks was up 241% in the third quarter of 2019, compared to the same period last year. The report also confirmed the continued increase in small-scale attacks and the use of multiple threat vectors, as new vectors continue to expand the attack surface that organizations must … More
The post Attackers increasingly embrace small-scale DDoS attacks to evade detection appeared first on Help Net Security.
Organizations reported an average 32% reduction in threat responder workload when they deployed a managed SIEM solution, according to CenturyLink and IDG. Improve incident response The research shows security leaders are turning to managed security services to help augment limited internal resources and bridge the security technology gap. “Security is an inherent ingredient in networking today; however, limited resources and budget constraints make it difficult for companies to develop with their own staff,” says Chris … More
The post To improve incident response, you need to consider 3rd party solutions appeared first on Help Net Security.
German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.
The latest busted cybercrime bunker is in Traben-Trarbach, a town on the Mosel River in western Germany. The Associated Press says investigators believe the 13-acre former military facility — dubbed the “CyberBunker” by its owners and occupants — served a number of dark web sites, including: the “Wall Street Market,” a sprawling, online bazaar for drugs, hacking tools and financial-theft wares before it was taken down earlier this year; the drug portal “Cannabis Road;” and the synthetic drug market “Orange Chemicals.”
German police reportedly seized $41 million worth of funds allegedly tied to these markets, and more than 200 servers that were operating throughout the underground temperature-controlled, ventilated and closely guarded facility.
The authorities in Germany haven’t named any of the people arrested or under investigation in connection with CyberBunker’s alleged activities, but said those arrested were apprehended outside of the bunker. Still, there are clues in the details released so far, and those clues have been corroborated by sources who know two of the key men allegedly involved.
We know the owner of the bunker hosting business has been described in media reports as a 59-year-old Dutchman who allegedly set it up as a “bulletproof” hosting provider that would provide Web site hosting to any business, no matter how illegal or unsavory.
According to historic whois records maintained by Domaintools.com, Zyztm[.]com was originally registered to a Herman Johan Xennt in the Netherlands. Cb3rob[.]org was an organization hosted at CyberBunker registered to Sven Kamphuis, a self-described anarchist who was convicted several years ago for participating in a large-scale attack that briefly impaired the global Internet in some places.
Both 59-year-old Xennt and Mr. Kamphuis worked together on a previous bunker-based project — a bulletproof hosting business they sold as CyberBunker and ran out of a five-story military bunker in The Netherlands.
That’s according to Guido Blaauw, director of Disaster-Proof Solutions, a company that renovates and resells old military bunkers and underground shelters. Blaauw’s company bought the 1,800 square-meter Netherlands bunker from Mr. Xennt in 2011 for $700,000.
Media reports indicate that in 2002 a fire inside the CyberBunker 1.0 facility in The Netherlands summoned emergency responders, who discovered a lab hidden inside the bunker that was being used to produce the drug ecstasy/XTC.
Blaauw said nobody was ever charged for the drug lab, which was blamed on another tenant in the building. Blauuw said Xennt and others in 2003 were then denied a business license to continue operating in the bunker, and they were forced to resell servers from a different location — even though they bragged to clients for years to come about hosting their operations from an ultra-secure underground bunker.
“After the fire in 2002, there was never any data or servers stored in the bunker,” in The Netherlands, Blaauw recalled. “For 11 years they told everyone [the hosting servers where] in this ultra-secure bunker, but it was all in Amsterdam, and for 11 years they scammed all their clients.”
Blaauw said sometime between 2012 and 2013, Xennt purchased the bunker in Traben-Trarbach, Germany — a much more modern structure that was built in 1997. CyberBunker was reborn, and it began offering many of the same amenities and courted the same customers as CyberBunker 1.0 in The Netherlands.
“They’re known for hosting scammers, fraudsters, pedophiles, phishers, everyone,” Blaauw said. “That’s something they’ve done for ages and they’re known for it.”
About the time Xennt and company were settling into their new bunker in Germany, he and Kamphuis were engaged in a fairly lengthy and large series of distributed denial-of-service (DDoS) attacks aimed at sidelining a number of Web sites — particularly anti-spam organization Spamhaus. A chat record of that assault, detailed in my 2016 piece, Inside the Attack that Almost Broke the Internet, includes references to and quotes from both Xennt and Kamphuis.
Kamphuis was later arrested in Spain on the DDoS attack charges. He was convicted in The Netherlands and sentenced to time served, which was approximately 55 days of detention prior to his extradition to the United States.
The AP story mentioned above quoted German prosecutor Juergen Bauer saying the 59-year-old main suspect in the case was believed to have links to organized crime.
A 2015 expose’ (PDF) by the Irish newspaper The Sunday World compared Mr. Xennt (pictured below) to a villain from a James Bond movie, and said he has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe and thought to be involved in smuggling heroin, cocaine and ecstasy.
Blaauw said he doesn’t know whether Kamphuis was arrested or named in the investigation, but added that people who know him and can usually reach him have not heard from Kamphuis over several days.
Here’s what the CyberBunker in The Netherlands looked like back in the early aughts when Xennt still ran it:
Here’s what it looks like now after being renovated by Blaauw’s company and designed as a security operations center (SOC):
I’m glad when truly bad guys doing bad stuff like facilitating child porn are taken down. The truth is, almost anyone trafficking in the kinds of commerce these guys courted also is building networks of money laundering business that become very tempting to use or lease out for other nefarious purposes, including human trafficking, and drug trafficking.