DDoS attacks in Q1 2020 - harlan4096 - 09 May 20
Quote:
News overview
Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web — people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery services, and gaming and educational platforms.
For instance, attackers in mid-March tried to disable the website of the US Department of Health and Human Services (HHS). The purpose of the attack was seemingly to deprive citizens of access to official data about the pandemic and measures taken against it. At the same time, unknown cyber actors spread misinformation in social networks and via text and e-mail about the introduction of a nationwide quarantine in the US. The attempt failed: the HHS website continued to function, despite the increased load.
The victim of another DDoS attack was the large Paris-based group of hospitals Assistance Publique-Hôpitaux de Paris. Cybercriminals attempted to disable the infrastructure of medical institutions. As a result, remote hospital workers were unable to use programs and corporate e-mail for some time. However, the attackers failed to paralyze the entire organization.
The food delivery services Lieferando (Germany) and Thuisbezorgd (Netherlands) found themselves in a more awkward situation. DDoS attacks on both companies meant that although they could accept orders, they could not process them and had to return customers’ money. What’s more, the cybercriminals targeting Lieferando demanded 2 BTC (a shade over US$13,000 at the time of writing) to halt the DDoS.
The German distance-learning platform Mebis was attacked on the very first remote school day. The service, which enables teachers in the federal state of Bavaria to exchange materials, homework, and tests with schoolchildren, was down for several hours.
Online games, whose popularity has soared under quarantine, were hit repeatedly. In particular, attackers flooded the servers of Battle.net and Eve Online with junk traffic, the latter facing nine straight days of bombardment. Belarusian company Wargaming also came under fire: players of World of Tanks, World of Warships, and other titles had problems with server speeds for several days. However skeptical users claimed that the problems had nothing at all to do with cybercriminals.
Australian authorities in late March reported a DDoS attack on the MyGov social services portal, but a couple of hours after the major announcement they were forced to admit they had made a mistake. It turned out that the site could not cope with the influx of perfectly genuine requests from citizens out of work as a result of the pandemic.
Besides DDoS attacks directly or indirectly related to the all-conquering coronavirus, this quarter saw a continuation of politically motivated attacks. In the second half of January, for instance, unknown cyber actors made two attempts to bring down the websites of government agencies and emergency services in Greece.
Among the resources taken temporarily offline were the websites of the prime minister, several ministries, the fire service, and the police. The Turkish group Anka Neferler Tim claimed responsibility for the first attack, but the Greek authorities are not rushing to any final conclusions, especially since the perpetrators of the second attack have yet to announce themselves.
This year will see the next US presidential election, and the runup to it, as always, is accompanied by DDoS attacks. For example, a voter registration and information website was hit in early February. The attackers employed the PRSD (pseudorandom subdomain attack) technique to send numerous requests to non-existent subdomains of the site. However, the DDoS attempt failed: the resource was protected against attacks of this kind.
Financial institutions were not spared either. In February, the cryptocurrency exchanges OKEx and Bitfinex were subjected to sophisticated DDoS attacks. The first has assured that it handled the incident without detriment to users, while the second was forced offline for an hour. According to Bitfinex management, this was necessary to set up specialized protection. Whether the incidents were just similar or related is not known.
The BitMEX crypto exchange likewise announced a DDoS attack this quarter — not once but twice. Its access problems coincided with a sharp drop in the value of bitcoin, which prompted a wave of suspicion among customers. Some believe that the exchange intentionally went offline to prevent a mass sell-off. BitMEX later promised to pay compensation, but only to 156 users who had lost deals in the ETH/USD pair.
As in the previous quarter, ransomware attacks by well-known APT groups made the news. In late February, Australian financial institutions received e-mails demanding large sums in the cryptocurrency Monero. The attackers introduced themselves as the Silence group, and threatened DDoS attacks for non-payment. Earlier, e-mails with similar threats had been received by companies from Singapore, Turkey, South Africa, and other countries. The ransomers went by the various names of Cozy Bear, Fancy Bear, Anonymous, Carbanak, and Emotet in the hope that victims would google them and be scared into compliance.
Unlike these international ransomware groups, a teenager from Odessa who last year tried to DDoS a company that had refused to coooperate was caught by police in January 2020. The youngster wanted to force a Ukrainian internet service provider to hand over information about a customer. On being refused, he attempted to disable the company’s network. The attack was reported to be quite powerful.
Overall, the past quarter was fairly rich in arrests. In February, Arthur Dam was detained in the US charged with carrying out four DDoS attacks on the website of congressional candidate Bryan Caforio in 2018, taking it offline for a total of 21 hours. The prosecution noted that Dam’s wife worked for Caforio’s rival Katie Hill, who ultimately won the vote.
Another cybercriminal was detained in Krasnodar in mid-March for attacking the online store of a company in Cherepovets, Russia. Although he had carefully masked the source of the DDoS attack, cyber police managed to trace him. The individual claimed that he had simply wanted to demonstrate his skills and offer his services to the company to defend against DDoS attacks. However, the idea failed even before his arrest, since he was unable to bring down the site.
This guy is by no means the only “double agent” in the DDoS world. In New Jersey, Tucker Preston, founder of BackConnect, a DDoS mitigation firm, admitted to a similar crime. From December 2015 to February 2016, Preston hired third parties to bombard the New Jersey-based servers of an unnamed organization with junk traffic. The offense carries up to ten years in jail and a maximum fine of US$250,000.
The owners of a website allegedly used to launch custom DDoS attacks could also be forced to fork out. Video game publisher Ubisoft filed a lawsuit against the resource after a string of attacks on the servers ofTom Clancy’s Rainbow Six Siege. According to the developer, the site — which purportedly helps clients test their own security — actually specializes in DDoSing games. Ubisoft is seeking the closure of the resource and damages from the owners.
Quarter trends
This quarter has been dominated by the coronavirus pandemic, which has shaken up many things in the world, including the DDoS market. Contrary to our forecast in the last report, in Q1 2020 we observed a significant increase in both the quantity and quality of DDoS attacks. The number of attacks doubled against the previous reporting period, and by 80% against Q1 2019. The attacks also became longer: we observed a clear rise in both the average and maximum duration. The first quarter of every year sees a certain spike in DDoS activity, but we did not expect this kind of surge.
...
Continue Reading
|