Cybercriminals and activists scale up their attacks – who’s at risk and why?

Distributed denial of service (DDoS) attacks have significantly increased in size, carried out by threat actors exploiting internet of things (IoT) devices, which brings into question the defences and mitigation strategies which have become outdated overnight.

DDoS is not a new attack method; cybercriminals and activists have been carrying out this type of attack since the early 2000s. So why are we now seeing a dramatic increase in the magnitude and capability of these attacks? Which sectors are most at risk and what can be done to reduce their exposure?

The evolution of DDoS attacks

A DDoS attack is a relatively straightforward method of blocking access to a website by flooding its server with more requests than it can handle. It’s the electronic version of a traffic jam: too many cars try to reach the same destination and the road is not big enough so everyone gets stuck.

DDoS attacks are the preferred tool of cyber activist groups because they are relatively easy to carry out; you don’t need to be a very skilled hacker to knock a website offline for a few hours. These groups often use DDoS attacks against websites of financial or government institutions for political reasons; however, victims also include non-profit organisations, companies targeted by single-issue groups, businesses with insufficient security measures in place, and more.

Cybercriminals tend to favour extortive DDoS attacks, i.e. they threaten to take a company’s website offline if a ransom is not paid. Therefore, businesses that rely on internet-facing services are most vulnerable to this type of attack. In addition, well planned DDoS attacks can affect other web-based services such as email exchanges, thus posing a potential threat to all organisations.

Until recently, the largest attack recorded was around 500 Gbps (gigabits per second), which is the unit used to measure the amount of data sent to a target every second during a DDoS attack. In September, a French hosting provider was the victim of a DDoS attack of more than double this size, peaking at 1.2 Tbps (terabits per second). Attacks of this magnitude would render any website or web service unavailable, no matter how prepared the organisation is.

This specific incident leveraged new malware, known as Mirai, which spreads to vulnerable devices by continuously scanning the internet for IoT systems protected by factory default or hardcoded usernames and passwords. Since this incident, three more large-scale attacks have been recorded, all using Mirai. These attacks were against a cyber security researcher’s website, an internet service provider and four major telecom providers in Liberia. 

The threat from internet of things (IoT) devices

The record-breaking size of these DDoS attacks can be attributed to the continued growth of IoT devices. As consumers, businesses and governments connect more physical devices to the internet (such as vehicles, home appliances and CCTV cameras) they become more vulnerable to cyber attacks.

This is because most IoT devices have lower levels of security than traditional internet-enabled devices. As a result, cybercriminals and activists, and perhaps government-sponsored groups, have been able to scale up DDoS attacks by exploiting IoT devices. DDoS attacks are expected to become more powerful and more refined as IoT devices become more widely available.

Defence methods may be ineffective against large-scale attacks

The large-scale DDoS attacks which have been recorded from September this year demonstrate that current defences and mitigation strategies are insufficient against these new capabilities. What’s more, the attacks had a significant impact on their targets. 

On 21 October an internet management company suffered a series of massive DDoS attacks against its managed services infrastructure – the attacks involved 100,000 IoT devices. The company provides Domain Name System (DNS) services to a significant portion of the market, including major sites like Twitter and PayPal. DNS is critical to the way the internet functions because it helps translate numeric IP addresses, which computers use to route traffic to the popular URLs that people know of as the names of websites. As a result of this attack, several companies and services were offline for hours. 

Only a few weeks later, the same DDoS malware (Mirai) was apparently used by threat actors to target websites in Liberia. It was later revealed that the attack focused on four major telecom providers. This incident impacted most of the country’s internet connectivity.

Who’s most at risk?

Historically, financial organisations and governments have been the primary targets of DDoS attacks and this is not expected to change. Users rely on their web-facing assets to conduct a number of essential activities, from e-banking to registering to vote. Activists and cybercriminals create maximum disruption when preventing users from accessing these services – more so than when they target other sectors. However, it is important to note that telecom and internet providers have been the target of recent attacks.

Hackers have posted a number of instructional videos on social media demonstrating their DDoS capabilities. These videos show that web servers running on a particular web server platform are the most frequently targeted. Why is this important? Our research shows that 90% of all websites brought down by cyber activists’ DDoS attacks in recent campaigns were running on the same platform, which is used by more than 16 million web servers, including stock exchanges and government organisations. This provides cybercriminals and activists with a wide variety of vulnerable websites to target when conducting their operations.

Mitigation

Due to the increased risk facing organisations in the financial sector, and others that rely on web-facing assets, organisations must ensure appropriate incident response plans are in place in anticipation of an attack. They should also invest in anti-DDoS technologies and services, and ensure their web server platform provides sufficient protection. The best practices for mitigating DDoS attacks still apply but must be updated to address the increasing size of these attacks:

• Increase the bandwidth for critical services to account for higher levels of traffic during an attack.
• Ensure geographic distribution of critical services.
• Ensure failover capability, especially for critical services.
• Implement a scalable web application firewall that can cope with a large attack.

Even though sophisticated attacks are only likely to be deployed against specific targets, organisations should be aware that DDoS attacks are a threat facing all industries. In light of the rapidly increasing DDoS capabilities seen recently, companies should review their DDoS mitigations.

Prevent your systems from becoming an attacker

To help prevent vulnerable devices from being used in large-scale attacks, companies should consider the following steps to secure them:

• Check for updates and implement all security patches.
• Change all the default passwords on these devices, because they can be easily exploited.
• Disable Universal Plug and Play (UPnP), which poses a vulnerability.
• Disable the remote management protocol on all devices.

Future forecast

Recent DDoS attacks were carried out via vulnerable IoT devices, which enabled threat actors to direct malicious traffic against their targets. Cybercriminals are increasingly likely to exploit IoT devices, particularly due to the public availability of sophisticated tools which can be used to carry out IoT-enabled DDoS attacks. Mirai and Bashlight (a similar piece of malware) for example are both easily available to cybercriminals.

Gartner, a technology research company, projects that by the end of 2016 there will be 6.4 billion IoT devices in the market, which indicates that this attack surface will only continue to grow. Furthermore, cybercriminals offering DDoS-as-a-service will also take advantage of vulnerable IoT devices to offer more destructive attacks, so a resurgence of extortive DDoS attacks in the coming months is expected.

Currently cybercriminals have more DDoS capabilities than activists. However, the takedown of a DNS provider in the US in October suggests select groups of activists are also gaining these skills. Additionally, security researchers have discovered a new zero-day attack vector (a vulnerability that does not have an available security patch), which could increase attacks on IoT devices by up to 55 times current attack levels.

Eventually, the increase in DDoS attacks will bring about higher security standards for IoT devices. However, accessibility and usability will remain the primary criteria for such devices, giving cybercriminals and other threat actors continued scope to leverage their vulnerabilities.

Author

• Luca Berni, Cyber Threat Intelligence Analyst