Cybercriminals launched an unprecedented number of distributed denial-of-service (DDoS) attacks in the second half of 2020, fueled by the COVID-19 outbreak. Many of those attacks were aimed at industries that saw surging demand during the pandemic, including e-commerce, healthcare, online learning and streaming services, according to a new report by Netscout.
Overall, more than 10 million DDoS attacks were observed last year, Netscout’s ATLAS Security Engineering and Response Team (ASERT) reported. For all of 2020, there was a 20 percent year-over-year increase. In the second half of the year, the number of attacks jumped 22 percent, according to the company’s bi-annual Threat Intelligence Report.
In addition, the security researchers also detected a new threat actor they are calling Lazarus Bear Armada, a threat group that “launched a global DDoS extortion campaign, using network reconnaissance to launch multi-vector attacks on critical pandemic infrastructure elements such as VPN concentrators, authoritative and recursive DNS servers, and upstream internet service providers’ (ISPs’) peering and customer aggregation routers,” they wrote in the report.
Record Number of DDoS Attacks
All of this added up to a year that saw a record number of DDoS attacks, which are designed to disrupt web traffic to a server or website and often come with a ransom demand. May alone saw 929,000 attacks. The global pandemic was a key driver of the increase, with the sudden shift to remote working and distance learning, which fueled a shift away from enterprise-level network protection.
“The second half of last year witnessed a huge upsurge in DDoS attacks, brute-forcing of access credentials and malware targeting internet-connected devices,” Richard Hummel, threat intelligence lead at Netscout and one of the report’s authors, said in a statement. “As the COVID-19 pandemic continues, it will be imperative for security professionals to remain vigilant to protect critical infrastructure.”
The role of the COVID-19 public health crisis also could be seen in many of the targets that were chosen by the attackers. With employees, teachers and students suddenly doing most of their work at home via videoconferencing and most people staying home, streaming services, e-commerce sites and online learning technology became a key focus of DDoS attacks, the researchers said.
In addition, healthcare facilities, which have been a growing target of ransomware attacks around the world given the vast amounts of personal data they hold, also found themselves the victims of the rising number of DDoS attacks even as man of them were struggling to keep up with the overwhelming number of COVID-19 cases they were seeing.
The figures were grim. The number of monthly attacks surpassed 800,000 in March, just as the COVID 19-related lockdowns were beginning, and never fell below that level, according to the researchers. The number of enterprise respondents that reported DDoS extortion attacks grew by 125 percent. Firewalls and VPNs, which have seen heavy work during the pandemic, were overloaded at times and contributed to outages in 83 percent of enterprises that were attacked.
Adding IoT Devices to the Botnet
In addition, the MIrai malware – which has been around for more than five years – and related variants leveraged the shift away from enterprise-grade protection to create a surge in brute-force attempts on consumer-level Internet of Things (IoT) devices.
Cybercriminals using malware like Mirai are able to take controlled of networked devices and create botnets that can launch DDoS attacks. According to Netscout researchers, bad actors were able to absorb more devices into their botnets, enabling them to strengthen the frequency, size and throughput of their attacks around the globe.
Lazarus Bear Armada got particular mention in the report for its aggressive DDoS attacks, the first of which took down the New Zealand Stock Exchange. The group then expanded its reach by targeting victims in areas such as financial services and adjacent industries, healthcare, communications services providers, ISPs, manufacturing organizations and large tech companies. Lazarus Bear Armada is still active and retargeting previous victims, particularly ones that the group said failed to pay the ransom that was demanded.
Netscout’s report is echoing what others in the cybersecurity field are seeing. Chris Morales, chief information security officer for digital IT transformation vendor Netenrich, pointed to the billions of connected devices around the world as a key reason for the growth of DDoS attacks.
“DDoS attack have been increasing in capabilities for years due to the dramatic growth in volume of IoT devices,” Morales told InternetNews. “Many botnets, like Mirai, have been scanning the internet and amassing control of devices for years. These poorly configured and easy-to-compromise devices are a ready-made online army that can produce enough aggregate bandwidth to swarm and overpower almost any network.”
Extortion is the Goal
Like ransomware, extortion is the central driver of DDoS attacks – both attacks cause disruption until the ransom is paid – though DDoS attacks are easier to pull off than ransomware and there’s little chance of detection until the moment it appears, he said.
“Extortion is unfortunately proving to be a profitable business model as many organizations pay,” Morales said. “It is more prevalent as availability of services is replacing data loss as the biggest threat to organizations. Business has shifted dramatically to online delivery of services and remote-work environments have made always available services critical to the business functioning. This trend is not going to reverse and the supply chain of vendors and cloud services is the new normal of doing business.”
Zach Varnell, senior application security consultant at cybersecurity provider nVisium, told InternetNews that cybercriminals are incentivized to continue running DDoS attacks if even a small fraction of ransoms are paid.
“This sometimes includes making good on their promise to attack those who don’t pay up,” Varnell said. “Financial services were originally hit hard by these DDoS ransom threats and for obvious reasons are rich targets for cybercrime. Since there are far more online retailers than financial institutions today – and multiplied in their online presence due to COVID 19 – it’s highly likely that targeting this industry is now becoming a lucrative source of ransom threats through DDoS attacks.”
DDoS Protection and Response
Austin Merritt, cyber threat intelligence analyst at cybersecurity firm Digital Shadows, said companies can protect themselves by using approaches that make them a “hardened target” because threat actors always compromise the softest targets first. They also need to have a DDoS response plan in place and to make employees aware that cybercriminals may target them through phishing emails.
Organizations need to broaden their strategies when it comes to cybersecurity, according to Netenrich’s Morales.
“Cyber security is really focused on information protection, but not so much on ensuring sustaining services and availability during an attack,” he said. “2021 is an inflection point in the industry where security strategy needs to pivot from prevention to resilience. [Companies need to be able to] withstand and recover fast from adversity.”