Something Wicked This Way Comes

NETSCOUT’s SOC tracks the Lazarus Bear Armada global DDoS extortion campaign

Cyber Extortion Image
Carol Hildebrand

The global pandemic has profoundly affected the worldwide economy, causing irreparable damage across a number of industries. At the same time, it has also created new opportunities for companies such as on-line retailers, delivery services, and electronic manufacturers. Unfortunately, legitimate businesses are not the only ones that see the opportunity. For cybercriminals, the COVID-19 pandemic has created an outstanding business opportunity—and they have taken full advantage.

The most recent example is the global Lazarus Bear Armada (LBA) campaign of Distributed Denial of Service (DDoS) extortion that began in mid-August.

We wanted to get some in-the-trenches observations of the campaign, and who better to ask than NETSCOUT’s Security Operations Center (SOC) team? As expert defenders supporting Arbor Cloud, the SOC has been right in the thick of things. The team has experienced a wave of emergency provisioning of new clients, and mitigates multiple campaign-related attacks on a daily basis.

The Plot Thickens

 The LBA campaign originally focused on the financial services sector, which tends to already have extensive security protections in place to mitigate such attacks. More recently, however, the SOC has observed that the threat actors behind the campaign have expanded their targets. “In recent weeks, we are seeing a sharp expansion of attacks beyond the financial industry to include other sectors,” said Carlos Morales, vice president and general manager of Arbor Cloud. “Prominent new targets include larger enterprises within the healthcare space, including insurers, medical testing companies, and global pharmaceutical companies. Some of these businesses are involved in COVID-19 testing and the development of vaccines.” Morales added that while he doesn’t believe the motive is to disrupt this work specifically, the fact that these companies have both deep pockets and urgent deadlines make them prime targets.

However healthcare giants are not the only targets. Morales is also seeing communications service providers, ISPs, large technology companies, and manufacturing coming under increased attack.

Morales also points out that the attacks are targeting infrastructure in addition to more conventional attacks focused on internet-facing services. The cybercriminals are focusing on disrupting ongoing operations within a company, such as the inbound/outbound use of VPNs and cloud-based tools by employees working from home. Unfortunately, for many of the companies being targeted, DDoS mitigation strategies and solutions have not been a high priority in the past, making them more vulnerable today.

If at First You Don’t Succeed, Adapt and Attack Again

The attackers behind this campaign have been doing their homework when it comes identifying the recipients chosen to receive the attacker’s extortion demands. Morales confirmed that the attacks seen with this campaign demonstrate that attackers have a good understanding of customer infrastructure and services. “By analyzing traffic that has been blocked by Arbor Edge Defense (AED) devices deployed in various customers’ networks, we have observed evidence of continuous reconnaissance that potential attackers are conducting,” he said.

The LBA attackers also know specifically how much capacity a target has, which allows them to allocate the volume of attacks more precisely. Since the SOC team believes that the group is renting a booter/stressor platform, such research makes good business sense: they can launch more attacks by using the resources they've rented efficiently.

Moreover, attack tactics have also matured, with the average number of vectors per attack growing to four to five vectors compared with one or two seen at the beginning of the extortion campaign. And once the attack is launched, attackers are nimble enough to tweak and change the parameters of the attack to try and circumvent any defenses. “These cybercriminals have embraced the old adage, ‘if at first you don’t succeed, try, try again,’ ” explained Gareth Tomlinson, director of NETSCOUT’s SOC. “Many of them are mixing their attack vectors based on research on the victim network, which dramatically increases the complexity of the attacks themselves, making it far more difficult to mitigate.”

While such deep research is common in one-off attacks, it is unusual to see in such a large-scale campaign. “The attackers seem to have to have a research division,” Morales said.

The Need for a Smart, Automated Perimeter Defense

The LBA attackers are well prepared, persistent, and have a lot of bandwidth at their disposal, so businesses need to make sure their defenses are working optimally to meet this threat effectively. This starts with deploying industry best-practice hybrid protection, which consists of always-on, on-premises defense such as Arbor Edge Defense (AED) that is tightly orchestrated with an upstream mitigation solution such as Arbor Cloud. A properly deployed hybrid solution reduces the attack surface available to attackers. However, deploying the right technology is only the first step. Comprehensive protection should also include the following:

  • Automation. Adding automation into your defense ensures heightened responsiveness to attacks and allows mitigation technology to quickly adapt to changing attack tactics.
  • Expertise. Operators must have the necessary expertise and processes to use the tools to their maximum effectiveness.
  • Testing. The defenses and the processes should be regularly tested to make sure that everything works well before having respond to a real attack.

Not all companies have the time and resources necessary to build such hybrid protection, so it is not surprising to see increased interest in managed services such as NETSCOUT’s Arbor Cloud and managed AED services. As the threat landscape evolves and attacks grow more sophisticated, bringing in professional services is often the best choice.

Learn more about DDoS managed services.