Just when we thought DDoS extortion was fading into the rear view mirror, it's time to circle up the trucks again. Starting last week and rapidly accelerating, we began seeing in our data and hearing firsthand from organizations about a new wave of extortion activity -- new Bitcoin demands; new threat actor names; and new attacker tactics, techniques, and procedures (TTPs).
Perhaps the rapid resurgence in DDoS extortion attacks was spurred on and inspired by the massive Colonial Pipeline payout? It's possible.
Whatever the attackers' motivations, we've seen a
flurry of malicious activity with new customers needing emergency
integration of DDoS defenses in numbers not seen since the campaign
heated up last August.
Let's take a closer look at the latest threat actors hitting the scene, and what organizations need to do now to be prepared.
With Summer Around The Corner, May Attack Activity Heats Up.
While we have firsthand data on just two verified extortion attacks, we've caught wind of six others from customers and prospects doing emergency onboarding of their networks. We have yet to see these attacks target a customer with an always-on security posture, suggesting the attackers are focused on softer targets without in-line defense. Like previous extortion campaign activity, we've observed the latest round of attackers targeting organizations across a variety of industries such as travel and hospitality, retail/e-commerce, high-tech/software, and consumer packaged goods to name a few. Some industries, in particular, align well with attackers seeking to exploit the highly anticipated and pent up demand for summer travel as COVID-19 restrictions ease up.
Based on our visibility into attack data, the first show-of-force assault was north of 150 Gbps and lasted an hour, while the second attack on a different customer upped the ante, coming in at over 250 Gbps and lasting for more than an hour. These attack sizes are consistent with previous extortion activity in terms of seeing bandwidth exceeding multiple hundreds of gigabits per second spread across multiple destination IPs: The first attack had 11 target destinations (roughly 10 Gbps on each) and the second attack had 7 target destinations.
Let's Start With A Little Context.
How does this campaign fit within the broader trend of DDoS extortion? Since august 2020 we've tracked a few different waves of extortion campaigns, with attacker TTPs ebbing and flowing, overlapping and co-existing over time. We've even seen attackers combine names of notorious APTs to keep things fancy as they bring the extortion campaigns back to life. These most recent attacks align most closely with what we documented and mitigated in v2 attacks in terms of target spread, and bleeding over into v1 traits with tip-off DDoS attack vectors.
A Bit More About May 2021 Extortion Activity.
What is interesting about this latest extortion attack example is the shared traits of v2 and v3 with respect to the attack vector poker tells -- somewhat unusual DDoS vectors and the wide range of IP space targeted during v2 activity. Both attacks featured the Apple Remote Management Service (ARMS) vector, while the second attack also leveraged a UDP Amplification technique known as WS-Discovery (WSD), which was first discovered and reported in the Fall of 2019 and also associated with previous DDoS extortion activity. Its sudden reemergence was a telltale sign that targeted customers most likely had received an extortion attempt.
Additionally, and as an important side note, the attacks we've observed are not particularly sophisticated. Ninety-nine percent of malicious traffic was of two packet lengths and composed of easily blockable vectors. We believe this reflects the incredibly low barrier to launch an "entry-level" DDoS attack that still packs a punch in terms of bandwidth but lacks the complexity associated with other more advanced threat actors.
We've been told that the cost to launch a DDoS attack from dark web toolkits recently dropped from $10 to $5 (looks like attack tools aren't being affected by inflation). Regardless of the increased access, the most recent extortion attacks consisted of some of our most frequently blocked DDoS vectors, with the vast majority mitigated consistently with our zero-second SLA once new customers had routed onto our platform.
With respect to threat actor locations, traffic from the first attack was primarily sourced in Russia and Asia, though you can see European, Australian, and the North/South American sources were active in the latest round as well. While DDoS attack source IPs can be easily spoofed, we did observe a significant concentration of traffic originating from Russia, specifically.
DDoS Guidance And Runbook Reminders.
As was the case in late summer 2020, we continue to hear about more attacks than we see in the data, as attacked customers seek emergency integrations (we don't have visibility into customer traffic until they are onboarded). Attack attempts and follow-on attacks also lessen once subnets and IP spaces are routed onto Prolexic for protection, as threat actors tend to move on to other organizations that don't have adequate defenses in place.
We advise organizations to consider DDoS protections for all critical assets -- both customer- and internal-facing -- as the campaign continues, and extortion as a top attack motivator shows no sign of letting up. And for companies that have put off updating run books and tabletop attack exercises due to COVID-19 , now is the time to ensure that incident response plans and processes are current -- not after you've experienced a DDoS event.
No comments:
Post a Comment