A note from the editor:
Against the backdrop of an unprecedented shift toward online workforce participation across the globe, Netscout’s ATLAS Security Engineering & Response Team (ASERT) observed a huge upsurge in distributed denial-of-service (DDoS) attacks, brute-forcing of access credentials, and malware targeting of internet-connected devices.
We observed multiple record-breaking events: the most DDoS attacks launched in a single month (929K), the most DDoS attacks in a single year (more than 10 million), and monthly DDoS attack numbers that regularly exceed the 2019 averages by 100,000 to 150,000 attacks. Combined with the weaponization of new reflection/amplification DDoS attack vectors allowing the abuse of misconfigured RDP over UDP, Plex Media SSDP, DTLS services, an increasingly complex threat landscape rapidly emerged. And if that weren’t enough, a new threat actor known as Lazarus Bear Armada launched a global DDoS extortion campaign, using network reconnaissance to launch multivector attacks on critical pandemic infrastructure elements such as VPN concentrators, authoritative and recursive DNS servers, and upstream internet service providers’ (ISPs’) peering and customer aggregation routers.
In the face of this chaos, service providers and security experts rose to the occasion and stalwartly defended the critical infrastructure of our online world. By leveraging world-class engineering skills and key platforms such as Netscout’s ATLAS, our online access withstood the record-breaking attacks of 2020. Businesses remained connected to their employees, students continued their education via distance learning, and ecommerce revenue increased by leaps and bounds. Such perseverance and commitment has helped users and organizations not only to survive, but also to thrive in this permanently altered digital landscape.
Threat Intelligence Lead, Netscout
Contributors: Richard Hummel, Carol Hildebrand, Hardik Modi, Chris Conrad, Roland Dobbins, Steinthor Bjarnson, Jon Belanger, Gary Sockrider, Philippe Alcoy, Tom Bienkowski
Not all world records are cause for celebration—just look at the distributed denial-of-service (DDoS) attack numbers from 2020. As the COVID-19 pandemic triggered massive shifts in internet usage, online criminals quickly pounced, launching more than 10 million DDoS attacks aimed at crippling targets with a heavy reliance on online services. Attack frequency spiked by 20 percent year over year and 22 percent in the last six months of 2020.
Research from both Netscout’s ATLAS Security Engineering & Response Team (ASERT) and the 16th annual Worldwide Infrastructure Security Report (WISR) survey shows that the COVID-19 pandemic was the clear catalyst for this year’s unprecedented DDoS attack activity. Vital pandemic industries such as ecommerce, streaming services, online learning, and healthcare all experienced increased attention from malicious actors targeting the very online services essential to remote work and online life. According to data from the WISR, 83% of enterprises that suffered a DDoS attack reported that firewalls and/or VPN devices contributed to an outage due to the traffic, a year-over-year increase of more than 20 percent.
In mid-August, Lazarus Bear Armada (LBA) launched one of the most sustained and extensive DDoS extortion campaigns yet seen. Unsurprisingly, the number of DDoS extortion attacks reported by enterprise WISR respondents ballooned by 125 percent. LBA’s work was likely also influenced by the exigencies of the pandemic: the group’s victims included businesses involved in COVID-19 testing and vaccine development—enticing targets given their combination of both deep pockets and urgent deadlines. In addition to conventional attacks on internet-facing services, the cybercriminals also focused on disrupting ongoing operations within companies, such as the inbound/outbound use of VPNs, firewalls, and cloud-based tools by employees working from home.
Botmasters exploit pandemic vulnerabilities
Malware king Mirai continued to thrive in an Internet of Things (IoT)-rich environment, as remote work and online learning shifted core workforce access away from enterprise-grade protection and toward consumer-grade devices. A surge in brute-forcing and malware samples circulating in the wild paints a very clear picture, with adversaries attempting to absorb more devices into their botnets to further strengthen the frequency, size, and throughput of DDoS attacks worldwide.
This all adds up to a year of unprecedented DDoS attack activity across an already-booming cybercrime economy. And as we know, adversaries thrive on constant innovation. Attacks will only grow more complex, and threat actors will continue to discover and weaponize new attack vectors designed to exploit the vulnerabilities exposed by this enormous digital shift. Protecting our connected world has never been more important.