Dawn of the Terrorbit Era

NETSCOUT Threat Intelligence Report 2H 2018 Reveals New Findings on IoT Vulnerabilities, Nation State Actors, Increase in DDoS Numbers, and Attack Size

Terrorbit DDoS Attack Era

When it comes to the global threat landscape, the second half of 2018 revealed the equivalent of attacks on steroids. In our latest Threat Intelligence Report, our researchers saw attackers bulk up existing tactics, rapidly evolve new performance enhancements, and apply smart business techniques to vastly accelerate attack growth rate. Internet of Things (IoT) devices were attacked within five minutes of being plugged into the internet. Malware authors not only built more advanced devices, but also applied their learnings from IoT botnet manipulation to target new areas such as commodity Linux servers using malware like Mirai. Malicious actors, criminal organizations, and even individuals busily diversified malware tools and families, attack vectors, and distribution channels — all aimed at an expanding array of targets. Meanwhile, nation-state advanced persistent threat (APT) group activity ratcheted up in volume and targets. Here are a few highlights of the major trends that we observed.

1. Countdown to Attack

Constant targets of DDoS malware, IoT devices are now under attack five minutes after being plugged in and targeted by specific exploits within 24 hours. IoT security

is minimal to nonexistent on many devices, making this an increasingly dangerous and vulnerable sector as now everything from life-saving medical devices and equipment to home security systems and cars are IoT-equipped.

2. The ‘Terrorbit Attack’ and Beyond

February and March of 2018 marked the first reported terabit attacks.

While the second half of 2018 didn’t reveal new attacks at that volume,

it is likely due to systemic changes to counter the Memcached vulnerability and the fact that other vectors didn’t emerge. Overall attack numbers were up 26 percent, while those in the 100–400 Gbps range exploded, showing continued interest and maturity of tooling in this midrange. It’s only a matter of time before new vulnerabilities drive attacks at the higher end again.

3. Nation-State Innovation

Activity from key nation-state actors such as China, Russia, Iran, and North Korea showed no sign of ebbing. New groups emerged, while known entities updated and evolved their tactics, techniques, and procedures (TTPs), combining custom tools with commodity crimeware to further extend their reach. We noted continued innovation from groups, such as the use of Chrome extensions to enable persistence in the STOLEN PENCIL campaign.

4. Commercialization of Crimeware

We saw a robust marketplace driven by well-stocked innovation pipelines from rapidly growing organizations. If this sounds like a business story, that’s because it is. The cybercriminal underground operates much like a legitimate business on the right side of the law, with the huge proviso that cybercrime organizations cause billions of dollars in damage and negatively impact major enterprises and governments.

For instance, campaigns such as DanaBot use an affiliate model that distributes labor to specialists and moves away from the more inefficient method of managing the entire process in house. While this was popularized a few years ago with exploit kits like Angler, DanaBot has taken it to the next level by rapidly establishing its presence across the globe with 12 separate affiliates targeting financial institutions in many countries. Can a B-school case study write-up be far behind?

About The Report

As threats grow across the landscape, NETSCOUT's unique position protecting enterprise networks and the internet through our service provider customers gives us wide visibility into this dynamic and ever-changing environment. NETSCOUT’s Arbor Active Threat Level Analysis System (ATLAS®) has actively monitored the global internet threat landscape since 2007. Today, it provides us with visibility into approximately one-third of the global internet.

By drawing on that comprehensive view with analysis driven by NETSCOUT's ATLAS Security Engineering & Response Team (ASERT), we have created a representative view of the threat landscape as we observed in the second half of 2018 based on all our data and driven by extensive research and analysis.


To download the full report, click here

You can also register for a webinar on the report results. Register here.