Defend Against DDoS Archive

The “IBM X-Force Threat Intelligence Index 2019” highlighted troubling trends in the cybersecurity landscape, including a rise in vulnerability reporting, cryptojacking attacks and attacks on critical infrastructure organizations. Yet amid all the concern, there is one threat trend that our data suggests has been on the decline: hacktivism — the subversive use of internet-connected devices and networks to promote a political or social agenda.

Looking at IBM X-Force data in the period between 2015 and 2019, our team noted a sharp decrease in publicly disclosed hacktivist attacks. Our data incorporates incidents pulled from established and reliable reporting streams and reveals where a specific group claimed responsibility for the incident and where there is quantifiable damage to the victim. While this data does not capture all cyber incidents — nor all hacktivist attacks that occurred in that period — the decrease in publicly acknowledged hacktivism attacks remains significant since public attribution is a key component in these types of attacks.

In 2016 in particular, hacktivist attacks such as Operation Icarus, which directed distributed denial-of-service (DDoS) attacks at banks worldwide, made headlines several times. Another 2016 attack by the same group was a “declaration of war” on Thai police following the conviction of two Burmese men for the murders of two British backpackers. That operation resulted in the defacement of several Thai police websites. In 2018, the number of reported attacks was much lower, although various groups used similar tactics, including DDoS attacks and the defacement of several government websites in Spain.

We have some theories about the reasons behind this decline — specifically, a decrease in attacks by one core hacking collective and law enforcement acting as a deterrent against hacktivism. Let’s explore these theories in more detail.

Public Hacktivist Attacks Have Dropped Nearly 95 Percent Since 2015

We’ll start by taking a closer look at the numbers. According to X-Force data collected between 2015 and 2019, hacktivist attacks have declined from 35 publicized incidents from our sample in 2015 to five publicized incidents in 2017. In 2018, only two publicized incidents were recorded, a dramatic decline over the past four years. Thus far for 2019, no hacktivist attacks have yet met the criteria to be included in our data set, although we are aware that some hacktivist attacks have occurred.

These numbers show a drop of nearly 95 percent from 2015 to 2018 as attacks from the groups behind the bulk of the 2015–2016 attacks decreased. Most notably, the Anonymous collective and associated groups that identify themselves as Anonymous in different parts of the world perpetrated fewer attacks.

Figure 1: Number of Publicized Hacktivist Attacks (Source: IBM X-Force Data, 2015-2018)

Figure 1: Number of publicized hacktivist attacks (Source: IBM X-Force Data, 2015–2018)

For the hacktivist attacks tracked through our X-Force data, an analysis shows that few hacktivist groups aside from Anonymous have notably dominated the attack landscape over the past four years, with most groups carrying out only one or two attacks and then disappearing for a time.

Several groups struck only once and were never heard from again under the same name. The following figure depicts the number of hacktivist attacks by group from 2015 through 2018. Attacks by Anonymous made up 45 percent of all attacks, a far higher percentage than any other group that kept the same identity over time.

Figure 2: Hacktivist Attacks by Group (Source X-Force Data 2015-2018)

Figure 2: Hacktivist attacks by group (Source X-Force Data, 2015–2018)

Where Have All the Hacktivist Groups Gone?

So how can this decrease in hacktivist attacks from 2015 to 2018 be explained, especially in view of how frequent these sorts of incidents were in previous years?

X-Force researchers have some theories about the changing nature of the hacktivist threat landscape that could have contributed to this decline. Upon examining these theories in light of additional data on hacktivist attacks and activity and law enforcement response, we noted several patterns that might help explain this downward trend.

A Decline in Anonymous Attack Campaigns

A decline in attacks associated with the hacking group Anonymous is one of the principal contributing factors in the overall decline in hacktivist attacks worldwide.

Starting around 2010, Anonymous became one of the most prolific hacktivist groups in the world, reaching a peak of activity in early- to mid-2016, according to IBM X-Force data. Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus.

Some examples of this turmoil were on display during the 2016 US presidential election, which appeared to spark a sharp debate among Anonymous members, one that even spilled over into the public domain. While some members advocated for attacks against candidate websites, others strongly disagreed, arguing that the group does not support a particular political ideology and criticizing proposed attacks as “cringeworthy.”

In addition to differences in viewpoint, several cyber actors have sought to masquerade as Anonymous actors over the past three years, using the moniker in an attempt to legitimize their actions or to tarnish the group’s name by connecting their activities to Anonymous. In early 2016, Anonymous released a video warning about “fake Anons” and claiming that governments and individuals were acting in the name of the group in an attempt to “damage the name of Anonymous and [post] propaganda of their own ideologies,” or profit financially by using the group’s name as clickbait to attract traffic to advertising webpages. Any attempt to decrease the number of fake Anons may have led to a decrease in the number of true Anonymous actors overall.

X-Force data shows that decrease in Anonymous activity, with attacks dropping from eight incidents in 2015 to only one tracked in 2018.

Figure 3: Number of Publicized Anonymous Hacktivist Attacks Per Year (Source: IBM X-Force Data, 2015-2018)

Figure 3: Number of publicized Anonymous hacktivist attacks per year (Source: IBM X-Force Data, 2015–2018)

Legal Deterrence

Arrests and legal warnings issued to hacktivists at large may be acting as an effective deterrent against additional hacktivist activity. X-Force IRIS internal tracking of related arrests revealed that law enforcement agencies in the U.S., U.K. and Turkey have arrested at least 62 hacktivists since 2011. We suspect the actual number is greater than those publicly announced. Three of the arrested hacktivists received sentences in 2018 and 2019, all with prison time of three years or greater, including one with a 10-year prison sentence.

The 10-year sentence — plus a $443,000 fine — was placed on one self-proclaimed Anonymous hacktivist who hit Boston Children’s Hospital with DDoS attacks in 2014 and was arrested in February 2016. Some security practitioners noted that the long sentence had the potential to deter additional attacks.

Another hacktivist arrested in 2011 agreed to become an informant to the FBI, possibly contributing to the demise of his hacking group LulzSec and the arrests of potentially nine other hacktivists. This hacker then served seven months in prison before becoming a legitimate penetration tester.

In January 2017, one software engineer publicly proposed a DDoS attack on the White House’s website as a form of hacktivism. Security experts and law enforcement officials warned that such an act was illegal and would be tracked and punished. In the end, no attacks appeared to have occurred, and there were no reported problems with the White House website that month.

Hacktivism Is a Volatile Tactic

Where are hacktivist attacks likely to go from here? We are reluctant to say that the era of hacktivism has come to an end. Acute social justice issues, greater organizational capabilities among hacktivist groups and a stronger shift to areas that lay beyond the reach of law enforcement all have the potential to dramatically change the face of hacktivism in a relatively short period of time. More likely than not, we are experiencing a lull in hacktivist activity rather than a conclusion.

Hacktivism incidents in 2019 already suggest that this year may see an uptick in attacks, with a scattering of activity from attacks on Saudi newspapers in January to DDoS attacks on Ecuadorian government websites following the arrest of Julian Assange. As of yet, however, these numbers have still not reached the tempo of hacktivist attacks seen in 2015 and 2016.

For the time being, the world appears to be experiencing a relative respite from hacktivist attacks, perhaps freeing defensive resources to focus on more pressing threats, such as malicious actors’ use of PowerShell, Spectre/Meltdown and inadvertent misconfigurationincidents. These ongoing threats, X-Force IRIS predicts, will continue to demand more focus from security teams throughout 2019.

Source: https://securityintelligence.com/posts/the-decline-of-hacktivism-attacks-drop-95-percent-since-2015/

Lawmakers tackle safety and security issues, while an Internet Society survey said a majority of people find the devices ‘creepy.’

The safety and security of internet of things (IoT) devices remains a vexing issue for lawmakers, while a survey from the Internet Society shows there is still some way to go before reaching widespread public acceptance of IoT connectivity.

The survey, conducted in six countries by polling firm IPSOS Mori, found that 65% of those surveyed are concerned with how connected devices collect data, while 55% do not trust those devices to protect their privacy. Meanwhile, 63% of those surveyed said they find IoT devices, which are projected to number in the tens of billions worldwide, to be “creepy.”

Those concerns were at the forefront of a hearing last week on IoT security by the U.S. Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security, where lawmakers and witnesses debated how to make the devices safer and more transparent for consumers, and what the role of the federal government should be in legislating that. It’s a dilemma for policymakers and industry leaders who must wrestle with these questions.

“We can’t put the genie back in the bottle,” Internet Society president and CEO Andrew Sullivan told Smart Cities Dive. “We have invented this technology, so we’re going to have to figure out how to cope with it now. We have to figure out how are we going to make this technology something that better serves the people, the consumers who are buying it.”

Risks and concerns

Consumers are turning to internet-connected devices, and while they present enormous opportunities for convenience, they are not without risks.

In prepared testimony before the subcommittee, Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association (USTelecom) said there is “ample evidence of IoT security vulnerabilities,” with incidents like cameras being used for spying, personal information being stolen and hackers taking control of devices like smart thermostats.

“Concerns of this kind can have a massive influence on public perception of technologies, and if not addressed in meaningful ways, trust in the digital ecosystem will erode, causing unpredictable levels of disruption and economic harm,” Mayer’s testimony reads.

There have already been several major hacks of IoT devices, including the Mirai DDoS botnet attack in October 2016 that rocked technology company Dyn and resulted in the dramatic slowing or bringing down of the internet across the East Coast and elsewhere in the world.

In written testimony, Mike Bergman, vice president of technology and standards at the Consumer Technology Association (CTA), warned of the international nature of the attack; 89.1% of the attack traffic originated from devices installed outside the United States, he said.

Source: https://www.smartcitiesdive.com/news/privacy-concerns-abound-as-iot-devices-grow-in-use/553986/

Hackers behind the DDoS attacks on Electrum Bitcoin users have managed to infect up to 152,000 hosts, according to security researchers.

In a blog post, researchers at Malwarebytes said that figure was reached earlier last week but has now plateaued at around the 100,000 mark. The botnet has been fuelled by two distribution campaigns (RIG exploit kit and Smoke Loader) dropping malware detected as ElectrumDoSMiner.

Researchers have now discovered a previously undocumented loader dubbed Trojan.BeamWinHTTP that is also involved in downloading ElectrumDoSMiner. So far, it has been estimated that the amount of stolen funds amassed by hackers could be as high as $4.6 million.

The botnet has largely been concentrated in the Asia Pacific region (APAC). For the Americas, most bots are located in Brazil and Peru, researchers said. However, the number of victims that are part of this botnet is constantly changing.

“We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily,” said researchers.

Victims infected with the malware “may experience slowdowns in internet speed as they are joined to a botnet that performs DDoS attacks”, according to researchers.

They added that criminals have wasted no time in exploiting a vulnerability in Electrum wallets to phish unsuspecting users.

“What followed next with retribution attacks on Electrum servers was unexpected but logical, considering what is at stake. While these DDoS attacks have not been publicized much by mainstream media, they have undoubtedly caused millions of dollars in losses over the span of just a few months,” they said.

Source: https://www.scmagazineuk.com/electrum-ddos-botnet-infects-152000-hosts/article/1583311

 

DDoS attacks continue to be an effective means to distract and confuse security teams while inflicting serious damage to brands, according to Neustar.

Also, when comparing Q1 2019 vs. Q1 2018, the company has registered a 200 percent increase of attacks on directly provisioned customers.

Report findings

The largest attack size observed by them in Q1 2019 was 587 Gbps in volume, and the longest duration for a single attack was nearly a day and a half.

DDoS attacks Q1 2019

Other interesting tidbits from the company’s latest cyber threats and trends report include:

  • Compared to the number from Q1 2018, there has been a 257% increase in attacks 5 Gbps and below and a 967% increase in attacks 100 Gbps and higher.
  • The majority of attacks in this period were 25 Gbps and below
  • The average attack intensity has decreased from 3.9 mpps (million packets per second) in Q1 2018 to 3.7 mpps in Q1 2019.

Multi-vector attacks dominate

77% of all the attacks Neustar mitigated in Q1 2019 used two or more vectors (roughly the same percentage as in Q1 2018), and none of the top attacks the company mitigated used only a single vector.

DDoS attacks Q1 2019

These different attack vectors include:

  • Volumetric attacks at Layer 3 or 4 (network and transport), which work by “flooding” targets with too much traffic
  • Protocol attacks, which are meant to overwhelm routers, firewalls, or load balancers within the target’s network (by exhausting their processing power). They are often limited in size to avoid detection and wreak damage for a long time.
  • Application layer attacks (Layer 7), in which attackers target servers, applications or APIs (e.g., Slowloris).

In this period Neustar also witnessed a new type of volumetric attack generally described as “carpet bombing.”

“Rather than aiming at a single IP address, this attack was instead directed at complete Classless Inter-Domain Routing (CIDR) blocks, or subnets,” the company noted. “By using DDoS methods aimed completely at subnets, rather than specific IP addresses, an attack is often more difficult to detect and mitigate. These attacks often feature multiple vectors and will switch between them as they migrate from subnet to subnet.”

Carpet bombing attacks are also often used by attackers as a smokescreen to hide an attack against a single target.

Source: https://www.helpnetsecurity.com/2019/04/25/ddos-attacks-q1-2019/

There is a direct correlation between cryptocurrency and DDoS attacks. As the price of cryptocurrency dropped in 2018, leading to decreased profits from cryptomining, hackers on the black market began to divert prime botnet resources to DDoS attack activities, which increased month by month.

correlation DDoS attacks cryptomining

DDoS attacks in 2018

In NSFOCUS’ 2018 DDoS Attack Landscape report, NSFOCUS analyzed the threat landscape after a landmark year of technological growth related to cloud computing, big data, artificial intelligence (AI), Internet of Things (IoT), and Industry 4.0.

Key findings include:

  • Attackers were more inclined to launch DDoS attacks when the short-term benefits from cryptomining activities declined in 2018.
  • In 2018, DDoS attacks kept expanding in size as DDoS-as-a-Service experienced a fast growth.
  • Of all internet attack types, 25% of attackers were recidivists responsible for 40% of all attack events. The proportion of recidivists in DDoS attacks decreased in 2018, making up about 7% of DDoS attackers that launched 12% of attack events.
  • Cloud services/IDCs, gaming, and e-commerce were the top three industries targeted by attackers.
  • The total number of DDoS attacks in 2018 reached 148,000, down 28.4% from 2017, driven by effective protections against reflection attacks, which decreased considerably.
  • In 2018, the most frequently seen attacks were SYN flood, UDP flood, ACK flood, HTTP flood, and HTTPS flood attacks, which all together accounted for 96% of all DDoS attacks.
  • Of all DDoS attacks, 13% used a combination of multiple attack methods. The other 87% were single-vector attacks.

correlation DDoS attacks cryptomining

“The fluctuation of Bitcoin prices has a direct bearing on DDoS attack traffic,” said Richard Zhao, COO at NSFOCUS.

“This, along with other report findings, can help us better predict and prepare for DDoS attacks. Attackers are after profits and as we watch bitcoin fluctuate, we will continue to see this correlation pop up. DDoS attacks have never stopped since making their debut – analyzing trends in this report helps companies keep up with the fluid attack and threat landscape.”

Source: https://www.helpnetsecurity.com/2019/04/15/correlation-ddos-attacks-cryptomining/