Tag Archives: ddos-attacks

Link11 Discovers Record Number of DDoS Attacks in First Half of 2021

In H1 2021, cyber criminals targeted businesses in record numbers as they continued to exploit vulnerabilities caused by the pandemic A report published by Link11, Europe’s leading IT security provider in cyber resilience, suggests there has been a 33% increase in the number of DDoS attacks in H1 2021. Between January and June, the Link11 Security Operations Centre (LSOC) recorded record numbers of attacks compared to the same period last year. The report also found that between Q1 2021 and Q2 2021 there was a 19% increase in DDoS campaigns, some of which were over 100 Gbps in attack volume; further evidence that cyber criminals are continuing to exploit the vulnerabilities of businesses during the pandemic. The key findings from the report are: The number of attacks continued to rise: + 33% increase year-on-year compared to H1/2020. DDoS attacks are increasing: +19% in Q2 2021 compared to Q1 2021. Overall attack bandwidth remained high: 555 Gbps in maximum attack volume. Sharp increase in attack bandwidth: +37% increase in H1/2021 compared to H1/2020. Number of high-volume attacks > 100 Gbps in H1/2021: 28 Criminals targeted those organisations and institutions that were in high demand during the global pandemic, such as va ccination websites, e-learning platforms or portals and businesses IT infrastructure as well as hosting providers and internet service providers . LSOC also suggests that the use of extortion emails has reached critical levels . Employees have received malicious emails from a multitude of different senders including Fancy Bear, Lazarus Group and most recently Fancy Lazarus. Instead of being indiscriminate, ransom demands now vary depending on the size of the company and the industry of the victims. In fact, companies from a wide range of industries (including finance, e-commerce, media and logistics) are currently being affected. The frequency of these campaigns has increased, ransom demands have skyrocketed and LSOC is warning that they could continue well into Q3 2021. According to Link11’s security experts, the intensity and regularity of extortion emails has noticeably increased . The scale of DDoS activity far exceeds any from previous years and the number of businesses experiencing serious security breaches has risen sharply. The consequences of such an attack can be severe, from loss of revenue, costly business interruptions, long recovery times to sensitive data being compromised. Marc Wilczek, Managing Director of Link11, said: “In an increasingly connected world, the availability and integrity of IT systems are critical to any business. Our research for the first half of 2021 shows that companies are continuously exposed to DDoS attacks and that they are far more frequent and complex. Due to the increasingly sophisticated attack techniques being used by cyber criminals, many security tools are reaching their limits. This means that solutions which provide maximum precision and speed in detecting and mitigating the attacks are more in demand than ever before.” Although the threat level of DDoS attacks has remained high and security providers have provided persistent warnings, LSOC believes some companies are still lack the relevant security solutions to prevent an attack . In a number of cases, organisations have been found to be completely unprotected and operations have been brought to a standstill. The only way to limit the damage is to implement specialised protection solutions on an ad-hoc basis. From an economic and legal point of view, however, it makes more sense to focus on sustainable prevention rather than reaction. As threat levels continue to rise LSOC recommends businesses take this opportunity to conduct a thorough review of their cyber security posture. They are also warning if you fall victim to a DDoS attack do not respond to extortion attempts and call in a specialist for DDoS protection as soon as an attack has been detected. Source: https://www.link11.com/en/blog/threat-landscape/link11-report-discovers-record-number-of-ddos-attacks-in-first-half-of-2021/

Originally posted here:
Link11 Discovers Record Number of DDoS Attacks in First Half of 2021

‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

The group, known for masquerading as various APT groups, is back with a spate of attacks on U.S. companies. A distributed denial-of-service (DDoS) extortion group has blazed back on the cybercrime scene, this time under the name of “Fancy Lazarus.” It’s been launching a series of new attacks that may or may not have any teeth, researchers said. The new name is a tongue-in-cheek combination of the Russia-linked Fancy Bear advanced persistent threat (APT) and North Korea’s Lazarus Group. The choice seems natural, given that the gang was last seen – including in a major campaign in October – purporting to be various APTs, including Armada Collective, Fancy Bear and Lazarus Group. According to Proofpoint, this time around the gang has been sending threatening, targeted emails to various organizations, including those operating in the energy, financial, insurance, manufacturing, public utilities and retail sectors – asking for a two-Bitcoin (BTC) starting ransom (around $75,000) if companies want to avoid a crippling DDoS attack. The price doubles to four BTC after the deadline, and increases by one BTC each day after that. The targets are mostly located in the U.S. While it’s hard to make a definitive correlation, the timing of some of the Fancy Lazarus campaigns correspond with high-profile ransomware attacks over the past six months, in terms of targeting the same vertical industries, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “These include utility, natural gas and manufacturing,” she told Threatpost. “This could be an attempt to ride the coattails of high-profile news stories and result in a higher likelihood of payment. Another trend we have seen over the past four months are a focus on sending these threats to financial institutions and large insurance providers.” Email Campaign Details The emails announce that the organization is being targeted by Fancy Lazarus, and they threaten a DDoS attack in seven days if the target doesn’t pay up, according to an analysis on Thursday from Proofpoint. The messages also warn of potential damage to reputation and loss of internet access at offices, and then promise that a “small attack” will be launched on a specific IP, subnet or Autonomous System with an attack of 2Tbps, as a preview of things to come. The emails are either in plain text, HTML-based or present the letter in an embedded .JPG image – likely a detection-evasion technique, Proofpoint noted. “The emails are typically sent to well researched recipients, such as individuals listed as contacts in Border Gateway Protocol (BGP) or Whois information for company networks,” according to Proofpoint’s analysis. “The emailed individuals also work in areas such as communications, external relations, investor relations. Additionally, extortion emails are often sent to email aliases such as help desk, abuse, administrative contacts or customer service.” Meanwhile, the sender email is unique to each target. They use a random “first name, last name” convention for the ender, using fake names. The ransom note. Source: Proofpoint. Some of this is a change in tactics from previous campaigns by the group. For instance, Proofpoint noted that the starting ransom was 10 or 20 BTC in 2020 campaigns – a change that was made likely to account for exchange-rate fluctuations. In October for instance, a 20-BTC demand translated to $230,000. Also, previously the sender names on the emails often contained the name of an APT that was in the headlines, such as Fancy Bear; or, they included the targeted company’s CEO name. Sometimes a Hoax? It’s unknown whether the group always follows through on its threat to launch massive DDoS attacks. An FBI alert on the group from last August said that while the group had taken aim at thousands of organizations from multiple global industry verticals by that point, many of them saw no further activity after the deadline expired – or, they were able to easily mitigate it. In some cases though, such as was the case with Travelex, “the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains, according to Intel471 researchers writing last year. Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers, the firm reported. “While FBI reporting indicates they do not always follow through on their threat of a DDoS, there have been several prominent institutions that have reported an impact to their operations and other impacted companies have just been successful at mitigating the attacks,” DeGrippo said. “This type of behavior keeps them more closely aligned with that of a cybercriminal versus a scam artist.” In any case, it’s important for companies and organizations to be prepared by having appropriate mitigations in place such as using a DDoS protection service and having disaster recovery plans at the ready, she added. Ransom DDoS: A Growing Tactic Ransom DDoS is not a recent development, but it has become more popular of late, according to DeGrippo, thanks to the mainstreaming of Bitcoin and Ethereum. “While RDDoS existed earlier this type of extortion likely did not catch on until, in part, the adoption of cryptocurrency, which allowed the threat actors a safer means to receive payment,” she told Threatpost. “These kinds of campaigns have been done in an organized fashion for the past year.” She added that Fancy Lazarus’ choice to align its ransom demand with the fluctuating price of cryptocurrency is notable. “As Bitcoin prices fluctuate, we see some change in their demand amounts, proving that cryptocurrency markets and malicious actor activity are absolutely correlated,” she said. “This has been the case since at least 2016 in the early days of large-scale ransomware. Threat actors send their campaigns when the prices are most advantageous, attempting to make more money when the various currencies are at a high valuation. Other actors use other cryptocurrencies like Ethereum, but Bitcoin continues to be the massively popular coin of choice for malicious threat actors.” While it’s impossible to know the success rate of the Fancy Lazarus campaigns, “given the potentially substantial financial payoff for relatively little work on the threat actor’s part, a low success rate would still make this a worthwhile tactic,” DeGrippo noted. One trend to watch is the addition of ransomware to the mix going forward. In February, the REvil ransomware gang started adding DDoS attacks to its efforts, in an effort to ratchet up the pressure to pay. Source: https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/

Read this article:
‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

Critical Infrastructure Under Attack

Several recent cyber incidents targeting critical infrastructure prove that no open society is immune to attacks by cybercriminals. The recent shutdown of key US energy pipeline marks just the tip of the iceberg. Critical infrastructure is becoming more dependent on networks of interconnected devices. For example, only a few decades ago, power grids were essentially operational silos. Today, most grids are closely interlinked — regionally, nationally, and internationally as well as with other industrial sectors. And in contrast to discrete cyberattacks on individual companies, a targeted disruption of critical infrastructure can result in extended supply shortages, power blackouts, public disorder, and other serious consequences. According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks “the new normal across sectors such as energy, healthcare, and transportation.” Another report noted that such attacks can have major spillover effects. Lloyd’s and the University of Cambridge’s Centre for Risk Studies calculated the prospective economic and insurance costs of a severe cyberattack against America’s electricity system could amount to more than $240 billion and possibly more than $1 trillion. Given these potential far-reaching consequences, cyberattacks on critical infrastructure have become a big concern for industry and governments everywhere — and recent events haven’t done much to allay these fears. A Worldwide Phenomenon In May 2021, a huge distributed denial-of-service (DDoS) attack crippled large sections of Belgium’s Internet services, affecting more than 200 organizations, including government, universities, and research institutes. Even parliamentary debates and committee meetings were stalled since no one could access the online services they needed to participate. A few days later, a ransomware attack shut down the main pipeline carrying gasoline and diesel fuel to the US East Coast. The Colonial Pipeline is America’s largest refined-products pipeline. The company says it transports more than 100 million gallons a day of fossil fuels, including gasoline, diesel, jet fuel, and heating oil — or almost half the supply on the East Coast, including supplies for US military facilities. In August 2020, the New Zealand Stock Exchange (NZX) was taken offline for four trading days after an unprecedented volumetric DDoS attack launched through its network service provider. New Zealand’s government summoned its national cybersecurity services to investigate, and cyber experts suggested the attacks might have been a dry run of a major attack on other global stock exchanges. In October 2020, Australia’s Minister for Home Affairs, Peter Dutton, said his country must be ready to fight back against disastrous and extended cyberattacks on critical infrastructure that could upend whole industries. Obvious Uptick in DDoS Attacks During the pandemic, there’s been a huge increase in DDoS attacks, brute-forcing of access credentials, and malware targeting Internet-connected devices. The average cost of DDoS bots has dropped and will probably continue to fall. According to Link11’s Q1/2021 DDoS report, the number of attacks witnessed more than doubled, growing 2.3-fold year-over-year. (Disclosure: I’m the COO of Link11.) Unlike ransomware, which must penetrate IT systems before it can wreak havoc, DDoS attacks appeal to cybercriminals because they’re a more convenient IT weapon since they don’t have to get around multiple security layers to produce the desired ill effects. The FBI has warned that more DDoS attacks are employing amplification techniques to target US organizations after noting a surge in attack attempts after February 2020. The warnings came after other reports of high-profile DDoS attacks. In February, for example, the largest known DDoS attack was aimed at Amazon Web Services. The company’s infrastructure was slammed with a jaw-dropping 2.3 Tb/s — or 20.6 million requests per second — assault, Amazon reported. The US Cybersecurity and Infrastructure Security Agency (CISA) also acknowledged the global threat of DDoS attacks. Similarly, in November, New Zealand cybersecurity organization CertNZ issued an alert about emails sent to financial firms that threatened a DDoS attack unless a ransom was paid. Predominantly, cybercriminals are just after money. The threat actors behind the most recent and ongoing ransom DDoS (RDDoS or RDoS) campaign identify themselves as state-backed groups Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective — although it remains unclear whether that’s just been a masquerade to reinforce the hacker’s demands. The demanded ransoms ranged between 10 and 20 Bitcoin (roughly worth $100,000 to $225,000 at the time of the attacks), to be paid to different Bitcoin addresses. Mitigating the Risk Critical infrastructure is often more vulnerable to cyberattacks than other sectors. Paying a ransom has ethical implications, will directly aid the hackers’ future operations (as noted by the FBI), and will encourage them to hunt other potential victims. Targeted companies are also urged to report any RDoS attacks affecting them to law enforcement. Organizations can’t avoid being targeted by denial-of-service attacks, but it’s possible to prepare for and potentially reduce the impact should an attack occur. The Australian Cyber Security Centre notes that “preparing for denial-of-service attacks before they occur is by far the best strategy; it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.” However, as the architecture of IT infrastructure evolves, it’s getting harder to implement effective local mitigation strategies. Case in point: Network perimeters continue to be weak points because of the increasing use of cloud computing services and devices used for remote work. Also, it is increasingly infeasible to backhaul network traffic, as legitimate users will be banned, too — potentially for hours or days. To minimize the risk of disruption and aim for faster recovery time objectives (RTOs) after an attack, organizations should become more resilient by eliminating human error through stringent automation. These days, solutions based on artificial intelligence and machine learning offer the only viable means of protection against cyberattacks. Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio Source: https://www.darkreading.com/attacks-breaches/critical-infrastructure-under-attack-/a/d-id/1340960

Original post:
Critical Infrastructure Under Attack

Bad actors launched an unprecedented wave of DDoS attacks in 2020

For many enterprises, 2020 was a tough year for cyberattacks, with dozens suffering from devastating DDoS attacks due to the newfound reliance on digital tools, according to a new report from cybersecurity firm Akamai. In its report, “Retrospective 2020: DDoS was Back — Bigger and Badder than Ever Before,” the company found that it had more customers attacked in November 2020 than any prior month going back to 2016. The company had more customers attacked over 50Gbps in August 2020 than any month before, another record that dates back to 2016. “In fact, across all attacks, 7 of the 11 industries we track saw more attacks in 2020 than any year to date. Think about that. This was led by huge jumps in Business Services (960%), Education (180%), Financial Services (190%), Retail & Consumer Goods (445%), and Software & Tech (196%),” the report said. “During Cyberweek 2020 alone we saw: 65% more attacks launched against our customers vs Cyberweek 2019, the number of customers targeted was up 57% YoY, and threat actors launching attacks across an expanded industry base.” Tom Emmons, Akamai’s principal product architect, said in an interview that he and other researchers observed a “significant evolution in DDoS attacks throughout 2020, maybe the most DDoS disruption of any year on record.” For Emmons, the rise in the number of customers seeing attacks, the steady growth in large attacks, and the shift in industries targeted were startling and disturbing for him to see. “As more and more activity moved online (work, shopping, learning, etc) due to COVID-19-related restrictions and behavioral adjustments, it made internet-facing infrastructure more important. Not long after COVID-19 hit, attacks started trending up and really just continued to accelerate as the year progressed. The basic idea here is the more important something is, the more likely to be attacked,” Emmons said. “We saw attackers who clearly did their homework on scouting out targets in a well-coordinated manner. The most interesting thing the DDoS extortionists are doing is choosing good targets, and managing to get their emails and chats through to the right folks, navigating spam filters, and unread boxes.” The report cites a number of record-breaking attacks, including a 1.44 Tbps attack against a major bank in Europe as well as an 809 Mpps attack on an internet hosting provider. According to the study’s findings, some of the largest DDoS extortion campaigns took place in 2020 and the numbers only continued to grow throughout the year. Akamai reported that more of its customers were attacked than any other year on record since 2003, with one industry seeing a 960% increase in the number of attacks. The steep increase in attacks was attributed to COVID-19, which forced almost every enterprise into using some form of digital tools in order to survive. Emmons also noted that there have been improvements in the tools used for DDoS attacks, allowing less experienced attackers to go after big targets. When researchers mapped it out, the timing of the increases in attacks coincides perfectly with the start of the COVID-19 pandemic, particularly in Europe and the US. “Customers and prospects shifted to focus on protecting VPNs and communications endpoints more than ‘generic’ data centers, as their risk profile and postures rapidly evolved,” the report said. “Looking back, as businesses across all industries had to adapt to remote work and the increasing reliance on internet connectivity, it’s clear that more and more types of organizations would be attractive and lucrative targets for DDoS threat vectors.” The report adds that the complexity of the attacks was also concerning considering the number of attack vectors and botnet tools used. In 2020, Akamai reported that 65% of the DDoS attacks they dealt with involved “multi-vector assaults” and “as many as 14 different DDoS vectors were noted in a single attack.” There was a significant increase in extortion-related DDoS attacks that began in August but the unnerving aspect for Akamai researchers was the specificity of the surveillance done before the attacks. “A notable characteristic of this campaign was the level of reconnaissance conducted by the attackers prior to sending the extortion letters. The bad actors were highly targeted in their threats and wanted victims to know that they had uncovered specific weaknesses across internet-facing infrastructure or had identified revenue-impacting IPs that would be taken offline unless their Bitcoin extortion demands were met,” the report said. “The 2020 campaign also signaled a significant shift in the types of industries typically targeted — a foreshadowing of future DDoS activity — with the threat actors pivoting from one vertical to the next depending on the week, in some cases circling back to organizations who had been previously victimized. As is the case with extortion, criminal rings won’t stop until arrests are made, and the fact that the extortion campaigns are ongoing indicates businesses are caving to their demands, which further incentivizes the activity.” When asked about the motivations behind this increase in attacks, Emmons said most were generally launched for money, either through extortion or by attempting to damage an organization financially through disruption. Society’s overwhelming reliance on digital tools made it easy for attackers to go after “low hanging fruit.” The study notes that Akamai continues to see extortion-related attacks that led to a “record emergency onboarding of new customers,” with the report adding that this was a signal that the problem seems likely to persist well into 2021. All signs point to continued DDoS attack growth. Not one of the indicators we track is flat or trending down,” Emmons said. “We’ve got more new customers doing emergency integrations than ever, and the percentage of customers running always on vs. on-demand defenses is at an all-time high. When in doubt follow the customers.” Source: https://www.techrepublic.com/article/bad-actors-launched-an-unprecedented-wave-of-ddos-attacks-in-2020/

View post:
Bad actors launched an unprecedented wave of DDoS attacks in 2020

As coronavirus cases surge, so do cyberattacks against the healthcare sector

The healthcare sector should brace itself against an increase in cyberattack rates and a variety of attack vectors over the coming months, researchers have warned. On Tuesday, cybersecurity firm Check Point released new statisticsthat show a 45% increase in cyberattacks since November against the global healthcare sector, over double an increase of 22% against all worldwide industries in the same time period. According to the researchers, attack vectors employed by threat actors are wide-ranging; including distributed denial-of-service (DDoS) attacks, social engineering, botnets, phishing, and ransomware. However, ransomware, in particular, is of serious concern. We’ve already seen just how debilitating a ransomware attack wave can be. The WannaCry outbreak of 2017 locked up and disrupted operations for countless businesses worldwide, and in the past four years, ransomware has continued to grow in popularity due to how lucrative a criminal business it has become. When it comes to hospitals, some providers will pay blackmail fees demanded by ransomware operators rather than risk patient care. The death of a patient due to a ransomware attack on a hospital has already occurred. Check Point says that ransomware attack rates are surging against the healthcare sector. The Ryuk ransomware strain is now the most popular malware to deploy in these attacks, followed by Sodinokibi. Overall, an average of 626 attacks was recorded on a weekly basis against healthcare organizations in November, in comparison to 430 in October. Central Europe has been hardest hit in the past two months, with a 145% increase in healthcare-related attacks, followed by East Asia, Latin America, and then the rest of Europe and North America. Healthcare organizations in Canada and Germany experienced the largest surge in cyberattack rates at 250% and 220%, respectively. Check Point says that the reason for the increase is financial, with threat actors seeking to cash in on the worldwide disruption caused by COVID-19. While bog-standard fraudsters are targeting the general public through phishing, emails, texts, and phone calls in coronavirus-related campaigns, other groups are hoping to profit through more debilitating attacks on core services. “As the world’s attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes — so it’s essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against covid-related online crime,” the team says. Source: https://www.zdnet.com/article/as-coronavirus-cases-surge-so-do-cyberattacks-against-the-healthcare-sector/

Read the original post:
As coronavirus cases surge, so do cyberattacks against the healthcare sector

DDoS Attacks Remain a Serious Threat to Businesses Worldwide

So, what exactly is a DDoS attack? DDoS attack stands for Distributed Denial of Service attack. This is when multiple systems flood a targeted system, rendering it unavailable. One analogy is to think of a DDoS attack as several people on a conference call continually yelling over the one person who is actually speaking to the group, making it impossible for anyone to hear the speaker. Those who are yelling would be a DDoS attack on the speaker. Why are businesses targeted? There are many reasons. It could be to damage the reputation of the business. If a popular social media site like Twitter were repeatedly unavailable over a period of time, end users would eventually grow tired of the inconsistent experience and move away from the platform. Those same users might also comment negatively about the platform on other social media platforms, damaging the company’s reputation. It could also be to harm the business financially, by making it impossible for customers to complete transactions via the company website. Imagine how much money an e-commerce site like Amazon would lose every minute of downtime that their site is not available or able to process transactions. Think about the last time you clicked Submit on a website and you watched the spinning wheel for some amount of time before you received a timeout or error message. Did you go back and set up your order or fill out that form a second time and try again, or were you sufficiently frustrated that you went to another site or simply didn’t complete what you were doing? Our online attention span is typically not very long. One of the most infamous DDoS attacks was the 2016 attack on Dyn, a provider of Domain Name System (DNS) services. DNS is the system that translates names to IP addresses. It’s a near real-time conversion service that acts as the internet’s map. This is how, when you type in www.google.com, you wind up at Google’s web search engine, which has a numeric address, or IP address, on the internet. When Google publishes its services, it does so at this numeric IP address. It’s DNS that tells your web browser what IP address to go to when you type in www.google.com. The attack method used on Dyn was a sophisticated botnet that took advantage of numerous Internet of Things (IoT)devices like printers, cameras, thermostats, baby monitors and other “smart” devices connected to the internet, many in people’s homes. This attack was one of the first to highlight the weak cybersecurity that many manufacturers had built into these devices. These were designed to easily install in your home and get connected to the internet, most often via Wi-Fi, to make your home smarter. Unfortunately, this also let the bad guys have a massive attack surface to work with. A botnet is a term used to define a number of connected devices that are infected by malware and used together as one collective weapon system. In this case, that weapon is designed to generate a massive flood of traffic that will render its target inaccessible, thus a DDoS attack. DDoS attacks are on the rise Several firms are reporting a significant increase in DDoS attacks this year. Similar to cyberattacks in general, the pandemic has brought about a significant increase in activity. In the case of DDoS attacks, some of these reports indicate a doubling of activity in the first quarter of 2020. Perhaps more concerning is that the duration and sophistication of these attacks is also increasing. This is leading to increased disruption for impacted system, which means increased risk of financial and reputational loss, both significant concerns for businesses of all sizes. The pandemic has seen a significant increase in attacks targeting health care, government and educational platforms. All areas that have become even more critical during the pandemic. In some cases, the cybercriminals are extorting the targeted entities – either to get them to pay a ransom to stop the attack or to simply create a lack of trust in the impacted entity. Protecting your organization from DDoS attacks In the face of this increasing threat, organizations need to do all they can to mitigate this threat. While the threat is sophisticated and complex, the mitigation opportunities are improving. To start, organizations need to focus on being sure that their infrastructure is as resilient as possible. This means leveraging some basic network architecture designs, including geographic dispersion of servers across different data centers. Consider data centers across multiple providers as one option. Regardless of data center provider, be sure there are multiple access paths to the network to avoid any single point of failure. Redundancy is king. Redundant servers, switches, routers, firewalls, data centers, connectivity, power, etc. Redundant systems help prevent bottlenecks and single points of failure that can be exploited via a DDoS attack. As these threats have matured, so has the technology to defeat or minimize them. From next-generation firewalls to load balancers and other technologies, the technology is continually improving and including features designed to defeat or minimize DDoS attacks. You should also be sure that your network bandwidth is optimized to withstand a DDoS attack. If you can justify the expense, obtain as much bandwidth as possible to help manage a flood of traffic, should that occur. Also consider multiple internet connections to both load balance your connectivity and provide redundant backup. If one connection becomes flooded, you will have a secondary connection available to mitigate the impact. As DDoS attacks increase, more and more service providers are implementing systems to mitigate the attacks. Check with your internet and DNS providers and find out what technologies they may employ to minimize the effects of an attack, should one occur. If they don’t, check to see if any of the providers available to you do. Given the pervasive nature of DDoS attacks, even the most basic mitigation strategies should be in place. While you may never be able to prevent a DDoS attack completely, hopefully some of these strategies are available to you to increase your DDoS protection. The attack surface is large and bad actors will continue to exploit it. You have a responsibility to be as prepared as possible, to protect your reputation and your balance sheet. Source: https://www.cpomagazine.com/cyber-security/ddos-attacks-remain-a-serious-threat-to-businesses-worldwide/

Read the article:
DDoS Attacks Remain a Serious Threat to Businesses Worldwide

Teen who shook the Internet in 2016 pleads guilty to DDoS attacks

One of the operators behind a Mirai botnet pleaded guilty to their involvement in a huge DDoS attack that caused a massive Internet disruption during October 2016. Multiple high-profile websites and online services including Amazon, PayPal, Visa, Netflix, the PlayStation Network, and Airbnb were taken down as a direct result of this DDoS attack. The botnet, a variant of the Mirai botnet, was developed by the defendant with the help of others between roughly 2015 until November 2016, specifically for being used to target gaming platforms in DDoS attacks. The conspirators used it to infect and convert Internet-connected video cameras, recorders, and other Internet-of-Things (IoT) devices into bots that were used as the “army” that powered the group’s DDoS attacks. Over 100,000 infected devices used in the attack The defendant, a minor when the attacks took place, and his conspirators targeted their massive DDoS (Distributed Denial of Service) attack at the Sony PlayStation Network’s gaming platform but it also affected the systems of Domain Name System (DNS) provider Dyn. After the attack, many of the sites and services using Dyn’s DNS servers were also affected by this attack and remained down throughout the next day while the DNS provider was working to bring back up the main DNS servers targeted by the conspirators’ botnet. “We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Scott Hilton, Dyn EVP of Product, said in a summary of the attack. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints.” Dozens of big sites and platforms affected The huge 2016 Dyn DDoS attack resulted in a massive Internet disruption later spread to hundreds of thousands of sites that used the DNS provider’s services. The list of impacted sites also included dozens of high-profile websites and online platforms that suffered losses from remediation costs and lost advertising revenues. The massive DDoS attack indirectly affected Dyn’s servers and brought down a substantial part of the Internet across both North America and Europe together with Sony’s PlayStation Network, the primary target of the attack. “According to court documents, on Oct. 21, 2016, the individual and others used the botnet they created to launch several DDoS attacks in an effort to take the Sony PlayStation Network’s gaming platform offline for a sustained period,” DoJ press release said. “The DDoS attacks impacted a domain name resolver, New Hampshire-based Dyn, Inc., which caused websites, including those pertaining to Sony, Twitter, Amazon, PayPal, Tumblr, Netflix, and Southern New Hampshire University (SNHU), to become either completely inaccessible, or accessible only intermittently for several hours that day. “ The identity of the defendant was withheld because they were juvenile at the time the offense was commissioned. The individual’s sentencing was scheduled for January 7, 2021. Source: https://www.bleepingcomputer.com/news/security/teen-who-shook-the-internet-in-2016-pleads-guilty-to-ddos-attacks/

View article:
Teen who shook the Internet in 2016 pleads guilty to DDoS attacks

Docker servers infected with DDoS malware in extremely rare attacks

Up until recently, Docker servers misconfigured and left exposed online have been historically targeted with cryptocurrency-mining malware, which has helped criminal groups generate huge profits by hijacking someone else’s cloud resources. However, in a report published this week, security researchers from Trend Micro have discovered what appears to be the first organized and persistent series of attacks against Docker servers that infect misconfigured clusters with DDoS malware. According to Trend Micro, the two botnets are running versions of the XORDDoS and the Kaiji malware strains. Both malware operations have a long and well-documented history, especially XORDDoS, which has been spotted used in the wild for many years. However, the two DDoS botnets had usually targeted routers and smart devices, and never complex cloud setups, such as Docker clusters. “XORDDoS and Kaiji have been known to leverage telnet and SSH for spreading before, so I see Docker as a new vector which increases the potential of the botnet, a green field full of fresh fruit to pick with no immediate competitors,” Pascal Geenens, cybersecurity evangelist at Radwa r e , told ZDNet via email earlier this week. “Docker containers will typically provide more resources compared to IoT devices, but they typically run in a more secured environment, and it might be hard to impossible for the container to perform DDoS attacks,” Geenens added. “The unique perspective of IoT devices such as routers and IP cameras is that they have unrestricted access to the internet, but typically with less bandwidth and less horsepower compared to containers in a compromised environment,” the Radware researcher told ZDNet . “Containers, on the other hand, typically have access to way more resources in terms of memory, CPU, and network, but the network resources might be limited to only one or a few protocols, resulting in a smaller arsenal of DDoS attack vectors supported by those ‘super’ bots.” However, these limitations don’t usually impact crypto-mining botnets, which only need an open HTTPS channel to the outside world, Geenens said. But despite the limitations in how a DDoS gang could abuse hacked Docker clusters, Geenens says this won’t stop hackers from attacking this “green field full of fresh fruit to pick” as there are very few vulnerable IoT devices that haven’t been infected already, which has forced hackers to target Docker servers to begin with. And on a side note, Geenens also told ZDNet that he suspects that DDoS operators are already quite familiar with Docker systems already. While this is the first time they’re hacking Docker clusters, Geenens believes hackers often use Docker to manage their own attack infrastructure. “I have no immediate proof, but I’m pretty sure that in the same way as legitimate applications benefit from [Docker’s] automation and agility (DevOps), so will illegal applications.” The most common source of Docker hacks is the management interface (API) being left exposed online without authentication or being protected by a firewall. For readers looking to secure their servers, that would be a good first thing to check. In its report, Trend Micro also recommends that server administrators secure their Docker deployments by following a series of basic steps, detailed here . Source: https://www.zdnet.com/article/docker-servers-infected-with-ddos-malware-in-extremely-rare-attacks/

Originally posted here:
Docker servers infected with DDoS malware in extremely rare attacks

Huge Cyberattacks Attempt To Silence Black Rights Movement With DDoS Attacks

After the death of George Floyd and the subsequent protests across the U.S., cyberattacks on advocacy groups spiked by an astonishing 1,120 times. It’s unclear who is behind the attacks, but they included attempts to neuter anti-racist organizations’ freedom of speech. The data comes from Cloudflare, a Silicon Valley company that protects a vast number of websites from distributed denial of service (DDoS) attacks, where servers are flooded with traffic to make them inaccessible. As its tech is used by a number of advocacy groups—including Black Lives Matter—Cloudflare saw what was happening around the time of Floyd’s death, caused by a police officer—former Minneapolis police officer Derek Chauvin—kneeling on Mr. Floyd’s neck till the life drained out of him. Fighting prejudice online And organizations whose purpose is to fight prejudice went from seeing almost no attacks on their sites to significant attempts to knock them offline. They included nearly 140 million likely malicious requests to load their websites. DDoS attacks see sites swamped with such requests, which mimic a massive number of people trying to get on a site at the same time, clogging up traffic to the page and making it inaccessible. “Those groups went from having almost no attacks at all in April to attacks peaking at 20,000 requests per second on a single site,” the company’s CEO, Matthew Prince, and its chief technology officer, John Graham-Cumming, wrote in a blog post. “One particular attacker, likely using a hacked server in France, was especially persistent and kept up an attack hitting an advocacy group continuously for over a day. We blocked those malicious HTTP requests and kept the site online.” In May, attacks on government, police and emergency services websites were up 1.8 times and 3.8 times on military websites, compared to the figures in April. Last week, the Minneapolis Police Department website was down after a reported DDoS attack. “We have been listening carefully to those who have taken to the streets in protest to demand justice and an end to structural racism, and believe that their powerful stories can serve as catalysts for real change. But that requires them to be heard,” the Cloudflare chiefs wrote in the post. “Unfortunately, if recent history is any guide, those who speak out against oppression will continue to face cyberattacks that attempt to silence them.” Source: https://www.forbes.com/sites/thomasbrewster/2020/06/03/huge-cyber-attacks-attempt-to-silence-black-rights-movement-with-ddos-attacks/#3460b946742b

Original post:
Huge Cyberattacks Attempt To Silence Black Rights Movement With DDoS Attacks

RangeAmp DDoS attacks can take down websites and CDN servers

A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP “Range Requests” attribute. HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion or disconnections) situations. The HTTP Range Requests standard has been under discussion at the Internet Engineering Task Force (IETF) for more than half a decade, but, due to its usefulness, has already been implemented by browsers, servers, and CDNs. Two RangeAmp attacks discovered Now, a team of Chinese academics says that attackers can use malformed HTTP Range Requests to amplify how web servers and CDN systems react when having to deal with a range request operation. The team says two different RangeAmp attacks exist. The first is called a RangeAmp Small Byte Range (SBR) attack. In this case [see (a) in the image below], the attacker sends a malformed HTTP range request to the CDN provider, which amplifies the traffic towards the destination server, eventually crashing the targeted site. The second is called a RangeAmp Overlapping Byte Ranges (OBR) attack. In this case [see b) in the image below], the attacker sends a malformed HTTP range request to a CDN provider, and in the case, the traffic is funneled through other CDN servers, the traffic is amplified inside the CDN networks, crashing CDN servers and rendering both the CDNs and many other destination sites inaccessible. Image: Weizhong et al. Academics said they tested RangeAmp attacks against 13 CDN providers and found that all were vulnerable to the RangeAmp SBR attack, and six were also vulnerable to the OBR variant when used in certain combinations. Researchers said the attacks were very dangerous and required a minimum of resources to carry out. Of the two, RangeAmp SBR attacks could amplify traffic the most. The research team found that attackers could use a RangeAmp SBR attack to inflate traffic from 724 to 43,330 times the original traffic. Image: Weizhong et al. RangeAmp OBR attacks were a little harder to carry out, as the six vulnerable CDNs needed to be in specific (master-surrogate) configurations, but when conditions were met, reserchers said OBR attacks could also be used to inflate traffic inside a CDN network with amplification factors of up to nearly 7,500 times the initial packet size. Image: Weizhong et al. Of the two, OBR attacks were considered more dangerous, as attackers could take down entire chunks of a CDN provider’s network, bringing down connectivity for thousands of websites at a time. CDN vendors notified seven months ago Academics said that for the past few months they have been silently contacting the affected CDN providers and disclosing the details of the RangeAmp attack. Of the 13 CDN providers, researchers said that 12 responded positively and either rolled out or said they planned to roll out updates to their HTTP Range Request implementation. The list includes Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud. “Unfortunately, although we have sent them emails several times and have tried to reach out to their customer services, StackPath did not provide any feedback,” the research team said. “In general, we have tried our best to responsibly report the vulnerabilities and provide mitigation solutions. The related CDN vendors have had nearly seven months to implement mitigation techniques before this paper was published.” Each CDN provider’s reply, along with technical details about the RangeAmp attacks, are available in the research team’s paper, entitled “CDN Backfired: Amplification Attacks Based on HTTP Range Requests,” available for download in PDF format from here. Source: https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/

See original article:
RangeAmp DDoS attacks can take down websites and CDN servers