DDoS attacks in Q4 2019

[harlan4096]

News overview

In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. The first attacks using ARMS were registered back in June 2019, and by early October the protocol was being used by DDoS-as-a-service providers; such attacks have since become widespread. According to the BinaryEdge portal, at the beginning of the quarter, nearly 40,000 systems running macOS with ARMS were available online.

Q4 was also marked by the growing number of peer-to-peer (P2P) botnets. Unlike the classic sort, these are independent of C&C servers, and thus more difficult to neutralize. In Q4 2019, researchers at 360 Netlab told about two new such botnets. The first, nicknamed Roboto, attacks Linux servers through a known vulnerability in the Webmin remote administration application. Experts note that the botnet has yet to carry out a DDoS attack, although it does have the functionality. The second P2P network, Mozi, is aimed at IoT devices and distributed using the DHT protocol, which is applied in distributed networks, such as BitTorrent, to quickly set up a P2P network. Mozi’s authors seemingly borrowed part of the code from the Gafgyt malware, which was designed to create a “classic” botnet.

Gafgyt’s developers also updated their creation. Researchers from Palo Alto Networks detected a new version of the malware that attacks Huawei HG532, Realtek RTL81XX, and Zyxel P660HN-T1A routers. The new version of the bot has even learned to wipe competitors from infected devices.

While some cybercriminals are updating their arsenal, others are using already proven tools and methods. For instance, in October and November 2019, researchers observed a wave of TCP reflection attacks. This method involves sending requests to legitimate services under the guise of the victim, who is then flooded with responses, so the IP addresses of the attackers do not light up. Over the past two years, such attacks have been on the rise. In October, the betting website Eurobet fell victim to cybercriminals, followed by several other sports betting organizations. Later that same month, a flurry of TCP reflection attacks hit financial and telecommunications companies in Turkey. Also named among the targets were Amazon and SoftLayer (a subsidiary of IBM).

Q4 saw attacks on Internet service providers in South Africa continue. In late October, cybercriminals overwhelmed Echo Service Provider — which serves the local providers Afrihost, Axxess, and Webafrica — with junk traffic. Clients of these organizations experienced downtime when connecting to foreign segments of the Internet. The attack reoccurred approximately one month later, and this time the list of victims included the providers RSAWEB and Cool Ideas.

Among the DDoS attacks launched against commercial organizations, worth highlighting is the campaign in October against financial institutions in South Africa, Singapore, and Scandinavia. The attackers sent emails to the victims, threatening to disable their systems and demanding a ransom; and to prove their intent, they carried out a short demonstration DDoS attack. For added effect, they posed as the infamous APT group Fancy Bear, inviting victims to look online for information about their past exploits. When the media reported the attacks, the ransomers renamed themselves Cozy Bear.

Curiously, the media failed to mention a single large-scale DDoS attack timed to coincide with the runup to the festive period. But political incidents did get coverage. For instance, on November 11 and 12, a month before the UK general election, attackers tried to disable the campaign site of the Labour Party.

In December, media outlets in Kyrgyzstan that had reported an investigation into the expenses of the wife of a former official suffered from DDoS attacks. A total of seven organizations were temporarily taken down by the hired hands of the disgruntled party. Another news portal later joined the list of victims, but perhaps for a different reason.

The Minecraft server of the Vatican (that’s right) was bombarded with junk traffic immediately after launch, in what could be described as an ideological attack. The purpose of the server was to create a “less toxic environment” for players, but the project attracted not only peace-loving players. The Vatican is now beefing up its protection. Ubisoft too was engaged in DDoS fire-fighting. The developer adopted a complex of measures to protect the servers of its video game Rainbow Six Siege, which had been on the receiving end of regular attacks. As a result, according to the company, the number of incidents decreased by 93%.

Law enforcement agencies were conspicuous in the struggle against DDoSers. For instance, in early November, Chinese authorities announced the arrest of a group which controlled a botnet of more than 200,000 infected sites. The operation took place in 20 cities; 41 people were detained. In the second half of the same month, the US sentenced Sergey Usatyuk to 13 months’ imprisonment for running DDoS-for-hire services together with an unknown accomplice in Canada. The cybercriminals had been active from 2015 to 2017. In the first 13 months of the operation, the service was used by 386,000 clients and 3.8 million DDoS attacks were carried out.

Quarter and year trends

As we predicted, Q4 saw an increase in the number of attacks relative to the previous reporting period. Although the rise in the total number of incidents was modest (only 8%), smart attacks grew by a quarter (27%), which is a fair amount. What’s more, not only the number of attacks increased, but their average duration. This was expected, since Q4 is a period of retail warfare, and we observe an increase in attacks from October to December every year.

If we compare the Q4 indicators with those for the same period last year, we see a near doubling in 2019. The end of 2018 was really very calm; we only noticed renewed growth in the attack market after a significant drop, which we wrote about in last year’s report. Back then, we correctly predicted a further rise in the number of attacks. This is clearly seen when comparing full data for 2018 and 2019.

Overall, in 2019 we observed clear growth in all indicators compared to 2018. The total number of smart attacks saw particularly significant growth (+43%), as did their average duration (+44%). Last year, we forecast a rise in DDoS attacks, but did not expect such a leap.

The maximum duration of attacks also climbed, but not as significantly. In calculating the indicators, we excluded from the statistics an abnormally long attack carried out in Q3 2019, because it was an outlier case that would have unfairly distorted the annual figures.\

Although Q4 saw an increase in the number and duration of DDoS attacks relative to the previous reporting period, we link this to the specifics of the quarter, not to a market trend. Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth. There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth. Nor have any serious vulnerabilities that would facilitate attacks been found recently. Looking at the trends of past years, we expect a slight decline in Q1 2020, yet will hazard a prediction that in absolute terms it will still be higher than the same period for 2019. Last year was an interesting one in the world of DDoS attacks. Let’s hope that 2020 decides to be boring.
...

Continue Reading