Bad Packets 2017 – A Year in Review
2017 has been another eventful year for denial-of-service attacks. Radware’s ERT team has monitored a vast number of events, giving me ample opportunities to review and analyze attack patterns to gain further insight into trends and changes in the attack vector landscape. Here is some insight into what we have observed:
Attackers continue to leverage IoT devices to build their massive botnets. We have observed attacks that use modified variants of Mirai or Bashlite, and we have seen the rise of new botnets like Reaper, Persirai, Imeij, BrickerBot, Zyklon and WireX. They also search for new attack vectors to employ within these botnets so they can effectively carry out their network-crippling attacks. One of the more notable attack vectors we have found this year was the introduction of the Connectionless Lightweight Directory Access Protocol (CLDAP) attack vector.
CLDAP is an alternative to the LDAP protocol on port 389. Threat actors use it to connect, search and modify internet directories. LDAP servers on Windows support TCP connections while CLDAP works via UDP. Because of this, hackers are able to launch reflective and amplified attacks by abusing exposed LDAP servers. The CLDAP request to the LDAP server will return an amplification factor to the targeted IP between 45-55. In the last six months, Radware’s ERT has observed more than 800 CLDAP reflected attacks.
Two of the most common attack trends observed in 2017 were burst attacks and RDoS campaigns. Throughout 2017 we have reported on a number of groups running ransom-based denial-of-service campaigns, specifically targeting the financial industry, along with other attackers targeting the gaming industry and service providers with short burst attacks.
RDoS – In 2016, ransom was the #1 motivation behind cyber-attacks and this trend continued in 2017. RDoS attacks are financially rewarding to cyber criminals who enjoy large monetary gains for a very small investment. In 2017 Radware observed ransom letters from groups claiming to be FancyBear, XMR Squad, Armada Collective, Anonymous and Phantom Squad. These criminals are using other groups’ names as a form of intimidation with no intention of following through on their original threat. The average ransom request for an RDoS campaign is normally 1 Bitcoin depending on market conditions.
Burst – In 2016, burst attacks were a common trend, and like RDoS attacks, continued to be a prominent trend in 2017. Over the year, burst attacks have become more complex and frequent with longer durations. Typically, industries sensitive to service availability are more frequently targeted by attackers using this method. Unlike tradition attacks that are persistent, burst attacks are timely, or random bursts of high traffic rates. These attacks often leave organizations with no time to respond, and when targeting the gaming industry, two seconds of service disruption could result in total game disruption.
And the targets are…
Some of the most frequently targeted industries that we have seen this year include service providers and financial institutions. The financial services, both crypto and non-cryptocurrency, have experienced a high number of attacks this year with some of the lead threats originating from hacktivist and financially-driven cyber criminals. Service providers also find themselves as not only the primary target but oftentimes the secondary target for massive DDoS campaigns when the volume exceeds the infrastructure capacity of the original target.
Other Notable Attacks from 2017:
- 123-Reg – Just days into the new year, hosting provider 123-Reg experienced a brief outage affecting a number of customer websites.
- Sundance Film Festival – The Sundance Film Festival experienced a denial-of-service attack directed at its box office, resulting in a network outage.
- Lloyds Bank – A large scale DDoS attack prevented customers at Lloyds Bank, Halifax and the Bank of Scotland from accessing online services.
- Hong Kong Brokers- Hong Kong securities brokers reported a service disruption caused by a denial-of-service attack after receiving an extortion email.
- Dr. Web / Emsisoft – The websites of Dr. Web and Emsisoft experienced a denial-of-service attack following the release of a Ransomware decrypter.
- IoT devices turn on a university network – Verizon reported in their Data Breach Digest that an undisclosed university suffered from a denial-of-service attack originating from its own IoT devices.
- Taiwan Brokers – Taiwan securities brokers reported a service disruption caused by a denial-of-service attack after receiving an extortion email.
- Austria Parliament – The parliament said that a group of Turkish hackers were responsible for a denial-of-service attack that knocked out their website.
- Bitfinex – Bitfinex was hit by a large scale denial-of-service attack when Bitcoin broke through the $1,100 barrier for the second time in the year.
- Luxembourg Government – Over 100 websites went offline as a result of a denial-of-service attack on Luxembourg government servers. The attack reportedly lasted over 24 hours.
- Alfa Bank – Russian bank Alfa announced that their network had suffered from a denial-of-service attack on its DNS server.
- Lotte Duty Free – Following a land swap deal with the U.S., South Korea’s Lotte Duty Free said it experienced a denial-of-service attack that resulted in a network outage.
- Dutch Government – After the political fallout between the Netherlands and Turkey, two Dutch websites experienced denial-of-service attacks from pro Turkish hackers.
- GoDaddy – Hosting provider GoDaddy experienced a denial-of-service attack on some of their DNS servers, resulting in customer outages for about six hours.
- Melbourne IT – Australian ISP, Melbourne IT announced that they had experienced a large-scale denial-of-service attack targeting their DNS server.
- Cedexis – A sophisticated denial-of-service attack on Cedexis resulted in an outage for major French news websites Le Monde and Le Figaro.
- BTC-e – Cryptocurrency exchange BTC-e experienced a large-scale denial-of-service attack that disrupted services and took the website offline.
- Bitfinex – Bitfinex, a U.S. bitcoin exchange suffered from a denial-of-service attack that resulted in a network outage just a day after launching trading for IOTA.
- Questrade – Questrade, a Canadian brokerage reported a denial-of-service attack resulting in users being unable to access online trading platforms.
- Final Fantasy – Final Fantasy XIV players have reported experiencing connectivity issues as a result of a denial-of-service attack on the games North American data center.
- Square Enix – Square Enix faced an Advanced and Persistent Denial-of-service attack, APDoS, in June and July following the launch of the Stormblood expansion pack for Final Fantasy 14. In July the attackers shifted focus from game services in the North America data center and began targeting upper tier internet service providers.
- Malaysian brokers – Malaysian securities brokers reported a service disruption caused by a denial-of-service attack after receiving an extortion email.
- CoinBase – Coinbase, a San Francisco-based cryptocurrency exchange reported a denial-of-service attack resulting in users facing issues while trying to withdraw their funds.
- Chinese Telco – Researchers announced that a Chinese Telcom firm experienced a denial-of-service attack that lasted for 11 days.
- Ukraine National Postal Service – The Ukraine National Postal Service managed by Infrastructure Ministry experienced a denial-of-service attack that lasted for two days.
- Blizzard Entertainment – Blizzard Entertainment experienced a massive denial-of-service attack that resulted in disconnection and latency issues for World of Warcraft and Overwatch.
- Charlottesville – After racial protests, hacktivist group Anonymous carried out several denial-of-service attacks against the official website of Charlottesville, Virginia as part of OpDomesticTerrorism.
- DreamHost – A DDoS attack was allegedly the cause of significant outages to one of the world’s largest web hosting companies.
- Verrit – Verrit, a fact checking website, claimed they experienced a denial-of-service attack immediately after Hillary Clinton endorsed the platform.
- Saudi Arabia General Entertainment Authority – Saudi Arabia’s General Entertainment Authority (GEA) experience a denial-of-service attack resulting in a website outage.
- Danish Ministries of Immigration and Foreign Affairs – Turkish hackers claimed responsibility for a denial-of-service attack that resulted an outage for the Danish Ministry of Immigration website.
- National Lottery U.K. – A denial-of-service attack brought down the national lottery in the United Kingdom, resulting in players unable to buy lottery tickets online.
- Butler Community College – Butler Community College experienced a denial-of-service attack the resulted in an outage for the school’s network.
- America’s Cardroom – America’s Cardroom was hit by a denial-of-service attack that disrupted a major tournament. This attack prompted the CEO of the company to issue a 10 Bitcoin bounty for information on the attack.
- Sweden Transport Administration – Sweden Transport Administrations, Trafikverket, suffered from a denial-of-service attacks that brought down the IT system managing trains, as well as their email system and website. The following day the Sweden Transport Agency, Transportstyrelsen, and public transport operators, Vasttrafik, were both hit by a similar attack.
- Spanish Government – Several Spanish government websites experienced a denial-of-service attack as a result of an Anonymous operation, OpCatalonia.
- Danish Supermarkets – Danish supermarket chains, Bilka and Fotex, both said their websites were taken down by denial-of-service attacks at the launch of their Black Friday sales.
- Electroneum – A U.K. cryptocurrency startup experienced a denial-of-service attack that shut investors out of their accounts for several days.
- Boston Globe – The Boston Globe suffered from a denial-of-service attack for two days, resulting in an outage.
- Bitfinex & Coinbase – Digital currency exchanges, Coinbase and Bitfinex have both experienced outages and service degradation, leaving traders frustrated. Bitfinex has experienced significant attacks that have lasted for several days.
Moving into 2018, we expect to see the Denial-of-Service landscape continue to evolve at a steady rate as IoT devices become even more widely accepted and deployed. Over the next year, I expect attackers to find more vulnerable devices to leverage in their botnets due to poor default security standards and continuing to adopt publicly disclosed vulnerabilities within days of disclosure. As the price of Bitcoin and other digital currencies continue to skyrocket, I expect to see more malicious and non-malicious floods taking down exchanges during market volatility. Banks and brokerages will continue to be targeted by DDoS extortionists, and hacktivists will continue launching Denial-of-Service attacks against government agencies as a result of political or social protest.