DDoS extortion is back…
ANALYSIS A growth in ransom-related DDoS (RDDoS) attacks has accompanied a growing sophistication and diversity in attack vectors over the last year, according to a range of security vendors quizzed by The Daily Swig.
Types of distributed denial-of-service (DDoS) attacks can include volumetric, protocol-based, and application-based assaults. Many are slung from so-called botnets of compromised computers, mobiles, or IoT devices.
Means, motive, and opportunity
The most common motives for launching a DDoS and jamming an adversary/competitor’s web performance include extorting victims for financial gain or to serve as a decoy tactic for another cyber-attack.
Bindu Sundaresan, director at AT&T Cybersecurity, told The Daily Swig: “Motives today can include an interest in obtaining a financial reward, making an ideological statement, creating a geopolitical advantage, or exacting revenge for particular government action, corporate campaign, or policy stance.”
Pay up or say goodbye to your network resources
David Elmaleh, senior product manager of edge services at cloud and network appliance security vendor Imperva, told The Daily Swig that RDDoS campaigns motivated by financial gain saw a considerable increase in 2020.
“We saw RDDoS threats targeting thousands of large commercial organizations globally, not least the financial services industry,” Elmaleh explained.
“Of the RDDoS we’ve monitored, the extortionists leverage the names of well-known threat actor groups in their ransom messages to demand payment in bitcoin currency to prevent a DDoS attack on their target’s network.”
For example, Imperva reports that one group using the name ‘Lazarus’ threatened to launch a DDoS attack against an entire network if a ransom was not paid within six days.
“Once the attack has started, a payment of 30 bitcoin (approximately $328,000) will stop it, with an additional 10 bitcoin ($110,000) demanded for each day the ransom remains unpaid,” according to Imperva’s Elmaleh.
“The extortionist also threatened to begin a small DDoS attack on the company’s main IP address immediately to prove the threat is not a hoax.”
DDoS as a smokescreen
DDoS attacks can sometimes be deployed as a distraction from even more nefarious activities.
Chris Bates, chief information security officer at SentinelOne, warned: “DDoS attacks are a perfect smokescreen: they can be used by sophisticated attackers to divert the attention of security teams while the intruders infiltrate the organization in another way.”
For example, in August 2020, a DDoS extortion gang masquerading as the Armada Collective and APT28 (Fancy Bear), conducted an attack that impacted the New Zealand Stock Exchange (NZX) for a number of consecutive days.
“This resulted in a shutdown of operations and halting of trading, with the activity also targeting several other financial institutions,” Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told The Daily Swig.
“Whereas most DDoS extortionists often target their victims’ public websites, this activity saw the repeated targeting of backend infrastructure, API endpoints, DNS servers, and even the NZX internet service providers.”
“This shift towards backend systems may explain the prolonged outages associated with these attacks,” he added.
Ransomware + DDoS deployed in combination attacks
Conversely, less sophisticated ransomware operators have also been observed using DDoS attacks as an additional method for extortion.
One trend that emerged during 2020 involved ransomware operators leveraging DDoS to force targets back to the negotiation table.
“If encryption did not impress the target and the threat of leaking data did not convince the target to pay up, ransomware operators started DDoS attacks to further intimidate their targets and tempt them to succumb to the demand,” Pascal Geenens, threat intelligence director at DDoS mitigation vendor Radware, told The Daily Swig.
For example, Avaddon ransomware operators reportedly used DDoS to disrupt a targeted company’s network if the company refused to enter ransom negotiations.
This also has a secondary effect of disrupting any remediation activities, like processing backups of impacted data, according to Digital Shadows.
Don Smith, senior director of IT Security at SecureWorks, added that “If the threat of data encryption and exfiltration are not enough to persuade a victim to pay the ransom, then perhaps loss of internet-facing servers and devices through DDoS attacks might be”.
Other ransomware operators, including SunCrypt and RagnarLocker, have also been observed mounting DDoS attacks.
According to Smith, the last year has seen a diversification in the post-intrusion ransomware landscape, with some players now running ransomware-as-a-service affiliate models.
“Ransomware operations conducted by affiliates is reflected in diversifying threat actor playbooks, behaviours; it is reflected in ransom demands, indeed in the professionalism of the criminals,” he told The Daily Swig.
Candid Wüest, vice president of cyber protection research at cyber security and data protection vendor Acronis, added that “DDoS services are easily available to rent through botnets on underground sites, making it a simple expansion for the ransomware group.”
Natalie Page, cyber threat intelligence analyst at SY4 Security, also pointed out that groups primarily known for cryptomining operations such as TeamTNT and Lucifer are stocking up with DDoS attack tools.
F5 reports that most reported DDoS attacks were volumetric, saturating network bandwidth with junk packets to clog up the connections for legitimate users.
Common, low-effort ransom DDoS attacks use amplification vectors such as DNS response, SSDP, NTP or Memcache. DNS amplification attacks, for example, involve spoofing DNS requests in order to flood a victim with junk traffic.
“The first half of 2020 also saw a rise in DDoS attacks targeting websites and applications. In 2019, 4.2% of the DDoS attacks reported to the F5 SIRT were identified as targeting web apps. However, this increased sixfold in 2020 to 26%,” according to Raymond Pompon, director at F5 Labs.
Neustar notes that back in July the FBI warned that common network protocols like ARMS (Apple Remote Management Services), WS-DD (Web Services Dynamic Discovery), and CoAP (Constrained Application Protocol) were being abused by hackers to conduct DDoS reflection and amplification attacks – while cautioning that disabling them could cause a loss in business productivity and connectivity.
Radware’s Geenens added: “While there has been a number of new protocols that were weaponised in DoS attack vectors such as RDP, ARMS, WS-DD, CoAP, the fundamental technique is still very much spoofing and amplification.”
While WS-DD and CoAP are vulnerable in unsecured IoT deployments and connected devices, RDP (Remote Desktop Protocol) became a popular attack vector as organizations hastily deployed remote access solutions to support teleworking during the pandemic, according to Geenens.
Some new techniques, like the NXNSAttack discovered by researchers at Tel Aviv University, take advantage of vulnerabilities in common DNS software.
The NXNSAttack technique can cause a DNS server to perform hundreds of thousands of requests every time a hacker’s machine sends just one, effectively amplifying the attacker’s firepower. This means an attacker has to compromise a relatively small number of machines to achieve massive impact – something that previously required the creation of a huge botnet.
Short but not sweet
The trend is also towards shorter attack duration but greater packet-per-second attack volume.
Alan Calder, founder and executive chairman of IT Governance, a cyber risk and privacy management firm, told The Daily Swig that the “volume of DDoS attacks, and the technical expertise that supports them, has grown significantly over the last 12 months”.
“Attackers [are] executing high-speed, short-duration, multi-vector attacks that can be extremely challenging to defend against,” he warned.
Alexander Gutnikov, system analyst at Kaspersky’s DDoS prevention service, told The Daily Swig: “In 2020, the average duration decreased by about a third, compared to 2019; while the maximum length increased. At the same time, the share of so-called ‘smart’ attacks – ones that require sophisticated skills and usually target application level – almost didn’t change (39% in 2019, 37% in 2020), as well as their maximum length.
“This suggests that short attacks are getting shorter and long ones are becoming longer; and we observed a similar trend in the Q4 2020 as well,” he added.
DDoS attacks are getting more powerful because they’re getting more complex, using many different devices, and targeting other parts of the victim’s network, according to AT&T Cybersecurity’s Sundaresan.
The biggest DDoS attacks by volume to date are thought to have been the 2.5 terabytes per second (Tbps) assault against Google in 2017 and 2.3 Tbps attack that targeted Amazon in 2018. The advent of 5G may usher in even more vicious assaults.
Bryan Murphy, director of consulting services at security vendor CyberArk, warned: “By increasing the overall bandwidth available, 5G allows an incredible number of IoT devices to be connected. These devices are often easy to compromise and control as part of amassing a botnet army, however, because there is still no standard for IoT security.”