NETSCOUT’s Arbor Active Threat Level Analysis System (ATLAS®) has actively monitored the global internet threat landscape since 2007. Today, it provides visibility into approximately one-third of the global internet.
As threats grow across the landscape, NETSCOUT’s unique position protecting enterprise networks and the internet through our service provider customers gives us wide visibility into this dynamic and ever-changing environment. By drawing on that comprehensive view with analysis driven by NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT), they created a representative view of the threat landscape as they observed in the first six months of 2018 based on their data and driven by extensive research and analysis.
What did they find? The complexion of the threat landscape is moving more rapidly, expanding footprint and changing tactics. Methods that are commonplace in the DDoS threat tool kit have sprung to crimeware and espionage. This accelerating internet-scale threat paradigm changes the frontiers for where and how attacks can be launched, observed and interdicted.
1. DDoS attacks enter the terabit era.
Last winter’s Memcached-based attacks ushered in the terabit era of DDoS attacks. In fact, NETSCOUT Arbor mitigated the largest DDoS attack yet seen, a 1.7 Tbps DDoS attack in February of 2018.
2. Attack volume up, frequency down.
They saw about 2.8 billion attacks in the first half of 2018. While that’s a huge number of attacks, the big news lies in size rather than frequency.
From 2017 to 2018, they saw a slight drop in attack frequency accompanied by a dramatic increase in attack size and scale. However, that drop in frequency doesn’t mean that DDoS attacks are abating. The maximum size of DDoS attacks increased 174% in H1 2018 compared with the same timeframe in 2017. It is our assessment that as attack tools grow more sophisticated, attackers have found it easier and cheaper to launch larger, more effective attacks.
3. APT groups expand beyond traditional arena.
More nations are operating offensive cyber programs and we in the research community are observing a broader set of threat actors. Indeed, nation-state-sponsored activity has developed beyond the actors commonly associated with China and Russia, as their findings include campaigns attributed to Iran, North Korea and Vietnam.
4. Crimeware actors diversify attack methods.
While email campaigns remain the primary attack venue, they observed notable changes in methods designed to accelerate malware proliferation. Inspired by 2017 worm events such as WannaCry, major crimeware groups added worm modules to other malware with distinct objectives such as credential-theft or traditional loaders. They also saw an increased focus on cryptocurrency mining in malware. It seems that attackers see this method as a less risky and more profitable alternative to ransomware, since the latter has the unfortunate side effect of drawing attention from law enforcement agencies.
5. Countries can be highly targeted by DDoS campaigns.
While the trend of a large increase in size of attacks over a growth in frequency played out fairly consistently across regions, they saw some countries and regions disproportionately targeted. The Asia Pacific experienced a disproportionally large number of high-volume attacks in comparison with other regions. China emerged as highly targeted country, with 17 attacks greater than 500 Gbps in the first half of 2018 versus none during the same timeframe the year before.
6. Vertical industry targets expand.
Analysis of targeted verticals reveals some insights year over year. Telecommunications providers and hosting services continued to observe the overwhelming majority of attacks, but they also saw big shifts year over year in a number of vertical sectors. Attacks on system integrators and consultancies were up, and government agencies such as consulates, embassies, the International Monetary Fund, the State Department, and the United Nations experienced a sharp uptick in attacks. This aligns with the use of DDoS against targets by government as well as those ideologically opposed to the interests represented by these institutions.
7. New DDoS attack vectors are rapidly leveraged…
The Memcached attack campaign used vulnerabilities in misconfigured Memcached servers to launch enormous DDoS attacks, a process that took very little time from initial reporting to the first attack tool being made available and utilized to cause global impact. While there was considerable mobilization worldwide to fix vulnerable servers, the vector remains exploitable and will continue to be used. The reality is, once a DDoS type is invented, it never really goes away.
8. …While old ones get new life.
Simple Service Discovery Protocol (SSDP) has been used for reflection/amplification attacks for many years, and ASERT debunked reports this year that claimed this existing tool represented a new type of DDoS campaign with potentially millions of vulnerable devices. However, ASERT did uncover a new class of SSDP abuse where naive devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets has ephemeral source and destination ports, making mitigation more difficult—an SSDP diffraction attack.
9. Targeted APT campaign can involve internet-scale footprints
As nation-state APT groups continue to develop globally, they were particularly interested in the observations of internet-scale activity in the strategic sphere, where campaigns such as NotPetya, CCleaner, VPNFilter, etc., involved broad proliferation across the internet, even as the ultimate targets in some instances were highly selective. These are distinct from the targeted attacks enterprises have become accustomed to dealing with over time, which often involve direct spear-phishing and limited scope to avoid detection and maintain presence. In this respect, targeted campaigns can now be backed by internet-scale intrusions
New crimeware platforms and targets emerge.
Not satisfied with adding new malware modules, crimeware actors also busily developed new platforms, such as such as the Kardon Loader beta observed by ASERT. At the same time, well-known malware platforms such as Panda Banker are being directed at new targets.
The information contained in this website is for general information purposes only. The information is gathered from ArborNetworks while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.