Issue 6: Findings from 2H 2020
Netscout Threat Intelligence Report
DDoS in a Time of Pandemic
Including the 16th annual Worldwide Infrastructure Security Report (WISR)
Next Section
Introduction
A note from the editor:
Against the backdrop of an unprecedented shift toward online workforce participation across the globe, Netscout’s ATLAS Security Engineering & Response Team (ASERT) observed a huge upsurge in distributed denial-of-service (DDoS) attacks, brute-forcing of access credentials, and malware targeting of internet-connected devices.
We observed multiple record-breaking events: the most DDoS attacks launched in a single month (929K), the most DDoS attacks in a single year (more than 10 million), and monthly DDoS attack numbers that regularly exceed the 2019 averages by 100,000 to 150,000 attacks. Combined with the weaponization of new reflection/amplification DDoS attack vectors allowing the abuse of misconfigured RDP over UDP, Plex Media SSDP, DTLS services, an increasingly complex threat landscape rapidly emerged. And if that weren’t enough, a new threat actor known as Lazarus Bear Armada launched a global DDoS extortion campaign, using network reconnaissance to launch multivector attacks on critical pandemic infrastructure elements such as VPN concentrators, authoritative and recursive DNS servers, and upstream internet service providers’ (ISPs’) peering and customer aggregation routers.
In the face of this chaos, service providers and security experts rose to the occasion and stalwartly defended the critical infrastructure of our online world. By leveraging world-class engineering skills and key platforms such as Netscout’s ATLAS, our online access withstood the record-breaking attacks of 2020. Businesses remained connected to their employees, students continued their education via distance learning, and ecommerce revenue increased by leaps and bounds. Such perseverance and commitment has helped users and organizations not only to survive, but also to thrive in this permanently altered digital landscape.
Richard Hummel
Threat Intelligence Lead, Netscout
Contributors: Richard Hummel, Carol Hildebrand, Hardik Modi, Chris Conrad, Roland Dobbins, Steinthor Bjarnson, Jon Belanger, Gary Sockrider, Philippe Alcoy, Tom Bienkowski
Partners: 
Netscout Cyber Threat Horizon
Executive Summary
Not all world records are cause for celebration—just look at the distributed denial-of-service (DDoS) attack numbers from 2020. As the COVID-19 pandemic triggered massive shifts in internet usage, online criminals quickly pounced, launching more than 10 million DDoS attacks aimed at crippling targets with a heavy reliance on online services. Attack frequency spiked by 20 percent year over year and 22 percent in the last six months of 2020.
Research from both Netscout’s ATLAS Security Engineering & Response Team (ASERT) and the 16th annual Worldwide Infrastructure Security Report (WISR) survey shows that the COVID-19 pandemic was the clear catalyst for this year’s unprecedented DDoS attack activity. Vital pandemic industries such as ecommerce, streaming services, online learning, and healthcare all experienced increased attention from malicious actors targeting the very online services essential to remote work and online life. According to data from the WISR, 83% of enterprises that suffered a DDoS attack reported that firewalls and/or VPN devices contributed to an outage due to the traffic, a year-over-year increase of more than 20 percent.
In mid-August, Lazarus Bear Armada (LBA) launched one of the most sustained and extensive DDoS extortion campaigns yet seen. Unsurprisingly, the number of DDoS extortion attacks reported by enterprise WISR respondents ballooned by 125 percent. LBA’s work was likely also influenced by the exigencies of the pandemic: the group’s victims included businesses involved in COVID-19 testing and vaccine development—enticing targets given their combination of both deep pockets and urgent deadlines. In addition to conventional attacks on internet-facing services, the cybercriminals also focused on disrupting ongoing operations within companies, such as the inbound/outbound use of VPNs, firewalls, and cloud-based tools by employees working from home.
Key Findings
DDoS crosses the 10 million attack threshold
For the first time in history, the annual number of observed DDoS attacks crossed the 10 million threshold, with Netscout’s ASERT seeing 10,089,687 attacks over the course of the year.
A new normal: More than 800,000 attacks per month
As the pandemic lockdown took effect, DDoS attacks exceeded 800,000 in March and remained above that threshold for the rest of the year. Indeed, cybercriminals launched 929,000 DDoS attacks in May, the single largest number of monthly attacks we’ve ever seen. That is a significant increase from the highest monthly total observed in the six months prior—732,000 attacks in December 2019.
Global DDoS extortion campaign
LBA launched a global campaign of DDoS extortion attacks that took down the New Zealand stock exchange in its debut attack. From there, LBA broadened its target base considerably to include financial services and financial-adjacent entities, healthcare, communications service providers, internet service providers (ISPs), large technology companies, and manufacturing. The downstream effect was significant, with the number of DDoS extortion attacks reported by WISR respondents increasing by 125 percent year over year.
The campaign remains active as adversaries have begun retargeting previously targeted organizations. The adversary cites the victim’s failure to pay the original extortion demand as the cause for renewed attacks.
UDP-based DDoS attack vectors fuel attack increases
New reflection/amplification DDoS vectors that leverage abusable commercial products and open-source User Datagram Protocol (UDP) capabilities continued to be discovered across the internet, fueling the next generation of attacks.
Cyber actors exploited and weaponized at least four such DDoS attack vectors in 2020. As these new vectors become available, adversaries such as LBA co-opt them, as was the case with the Microsoft Remote Desktop Protocol (RDP)-over-UDP vector weaponized in late 2020. The total number of vectors used in individual attacks has soared, with a record-setting 26 attack vectors deployed in a single attack in 2020.
Botmasters exploit pandemic vulnerabilities
Malware king Mirai continued to thrive in an Internet of Things (IoT)-rich environment, as remote work and online learning shifted core workforce access away from enterprise-grade protection and toward consumer-grade devices. A surge in brute-forcing and malware samples circulating in the wild paints a very clear picture, with adversaries attempting to absorb more devices into their botnets to further strengthen the frequency, size, and throughput of DDoS attacks worldwide.
This all adds up to a year of unprecedented DDoS attack activity across an already-booming cybercrime economy. And as we know, adversaries thrive on constant innovation. Attacks will only grow more complex, and threat actors will continue to discover and weaponize new attack vectors designed to exploit the vulnerabilities exposed by this enormous digital shift. Protecting our connected world has never been more important.
