Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable. The traffic can consist of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level.
DDoS attacks have not been in the spotlight this year, due the onslaught of high dollar amount ransomware attacks. Cyber threat investigators warn that such attacks could surge in the months ahead, and they have the potential to be just as damaging as ransomware and other types of cyber threats. DDoS-style attackers who demand a ransom to stop their attacks are finding that model profitable, says Roger Barranco, vice president of global security operations at Akamai. "The simple fact that they are making profits indicates this may be an increasing threat into 2021, incentivizing other threat actors who also want a piece of the lucrative action via the model of 'RDDoS'.”
Researchers at the security firm Digital Shadows point out that the largest DDoS attack on record occurred this year, when several businesses were taken down by a 2.3 terabyte per second attack using hijacked Connection-less Lightweight Directory Access Protocol web servers. Imperva's Research Labs has seen new tactics, such as launching low-volume attacks to distract security teams and then hitting targets with a more damaging high-volume effort. The use of DDoS-as-a-Service tools is spreading too. These tools allow unskilled attackers to wage powerful attacks, attempt extortion and take advantage of the massive number of 5G IoT devices that are coming online.
Stefano De Blasi, threat researcher at Digital Shadows, says toolkits that are readily available for sale, rent or lease will likely bring in new DDoS players. "Throughout this year, we have not attributed any major attacks to unskilled or inexperienced cybercriminals; however, low-level threat actors may be carrying out these attacks due to a lower barrier of entry and an increased likelihood of monetary gain," De Blasi says.
According to cyber threat analysts, it was never expensive to invest in a DDoS-as-a-Service operation. These costs have decreased over the last few years, with a typical kit now available for lease for about $7, down from $25 in 2017. "The number of online searches of 'stresser DDoS' legitimate services used to test the strength of a website increased significantly in 2020. This suggests there is growing interest in DDoS toolkits by first-time and unskilled attackers," says Johnathan Azaria, a data scientist at Imperva.
The success of ransomware gangs' extortion efforts, forcing victims to pay or run the risk of having their data released, is leading to similar tactics by DDoS players. De Blasi expects DDoS-related extortion could become far more common in the months ahead. "We may eventually see the DDoS extortion landscape populated by heavy-hitting names, similar to the increase of ransomware operations beginning in late 2019," he says.
A group attacking the New Zealand Stock Exchange in August posed as the Armada Collective and Fancy Bear to strike fear into their victims. "We have already observed threat actors impersonating famous APT groups to establish credibility and instill fear in the victim; if an established DDoS extortion actor emerges, extortion attempts will likely become more successful and increase in frequency," De Blasi says.
Azaria expects increased use of cloud services for malicious purposes enabling attackers to conduct longer, low-volume DDoS attacks. "As tools readily available online are becoming more sophisticated, expect attack infrastructure to expand in the next year as attackers leverage cloud services to scale their operations," he says. "This will contribute to more DDoS attack activity and a larger volume of low-intensity attacks that can obstruct a website's performance and can result in some loss profits."
IoT devices have become a preferred tool for waging DDoS attacks because many are easy to take over and control due to poor security features. As a commoditized industry, IoT product developers are rewarded for speed to market - not for building secure products, Azaria notes. "That's the reason IoT devices continue to be vulnerable and have become a global threat to privacy. While some advances have been made, security remains an afterthought."
Akamai's Barranco says that, although IoT devices are now built better, security is not improving. "When it comes to IoT, security isn't something that is usually built-in, and that is intentional," he says. "Security has a cost, and components and firmware require testing and development. IoT devices are cheap and plentiful. ... A lot of development and component manufacturing is kept at as low a cost as possible. Security would add to the costs, so a lot of manufacturers just don't do as much as they can do." In short, this means that all users need to be diligent on their use of all of their devices, there is no easy “button” to push to combat these threats.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. There are extensive reports on many of the threats mentioned in this article that can be found at https://redskyalliance.org. There is no charge for these reports and articles posted.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Weekly Cyber Intelligence Briefings: