DDoS attacks employ new devices, methods: Kaspersky report

Read time 4min 40sec
DDoS attackers use new tricks.
DDoS attackers use new tricks.

When it comes to DDoS attacks, threat actors are using old vulnerabilities in new ways, employing cameras and printers in their attacks, and monetise their efforts using cryptocurrency.

This was revealed in a Kaspersky Lab report, called DDoS attacks in Q2 2018, which found that activity by Windows-based DDoS botnets decreased almost sevenfold, while the activity of Linux-based botnets grew by 25%.

"This resulted in Linux bots accounting for 95% of all DDoS attacks in the quarter, which also caused a sharp increase in the share of SYN flood attacks, up from 57% to 80%."

According to the report's researchers, Timur Ibragimov, Oleg Kupreev, Ekaterina Badovskaya and Alexander Gutnikov, what they forecast in the previous quarter's report has been confirmed: cybercriminals are continuing to look for new, non-standard amplification methods to perform these attacks.

Following the recent wave of Memcached-based attacks, experts found a new amplification method using another vulnerability in the Universal Plug and Play protocol. Essentially, it allows garbage traffic to be sent from several ports instead of just one, switching them randomly, which hinders the blocking process.

More headaches

In terms of new botnets, researchers say these are causing more headaches for cybersecurity specialists. "A case worth mentioning is the creation of a botnet formed from 50 000 surveillance cameras in Japan. Another serious danger is posed by a new strain of the notorious Hide-n-Seek malware, which was the first of all known bots to withstand, under certain circumstances, a reboot of the device on which it had set up shop."

Although so far this botnet has not been used to carry out DDoS attacks, experts can't rule out such functionality being added at a later stage, particularly as the options for monetising the botnet are limited.

Large paydays

One of the most popular methods of monetising DDoS attacks is targeting cryptocurrency sites and exchanges. Moreover, DDoS attacks are not only used to prevent competitors from growing their investors, but for a large payday. "An incident with the cryptocurrency Verge is a case in point. In May, a hacker attacked Verge mining pools, and made off with XVG 35 million ($1.7 million)."

Windows-based DDoS botnets decreased almost sevenfold, while the activity of Linux-based botnets grew by 25%.

In addition, June this year saw cybercriminals bring down the Bitfinex cryptocurrency exchange, with the system crash followed by a wave of garbage traffic that indicated a multistage attack that was most likely aimed at undermining the site's credibility.

Political motivations

According to the researchers, the majority of media hype in the past quarter was generated by politically motivated DDoS attacks. Mid-April saw UK and US law enforcement bodies cautioned that a significant number of devices had been seized by Russian, believed to be Kremlin-sponsored, hackers across the US, the EU, and Australia with a view to carrying out future attacks.

In late April, a Russian target was hit. "The site of the largest Russian political party, United Russia, was down for two days, yet there was precious little public speculation about the masterminds behind the DDoS campaign."

Researchers also cited the attack on Danish railway organisation DSB, which battled to offer services to passengers for several days as a result. This attack was also alleged to be politically motivated, viewed by some as a continuation of the attack on Swedish infrastructure in October 2017.

Nabbing the bad guys

In terms of shutting down these attacks, law enforcement agencies have been making some progress, the researchers said. "In late April, Europol managed to shut down Webstresser.org, the world's largest DDoS-for-hire service. When it was finally blocked, it had over 136 000 users and had served as the source of more than 4 million DDoS attacks.

Whether or not this made a significant difference is debatable. Some companies reported a marked decline in DDoS activity in Europe, while others said they noted a rise in the number of DDoS attacks in all regions, which might have been the result of attackers looking to compensate by creating new botnets and expanding old ones.

During Q2, a number of DDoS attack masterminds were nabbed and convicted. "German hacker ZZboot was sentenced for attacking large German and British firms and demanding a ransom. He received 22-months probation instead of hard time. Another hacker, Chung from Taipei, was arrested for allegedly attacking the Taiwan Bureau of Investigation, the Presidential Administration, Chungwa Telecom, and the Central Bank."

The researchers said another, amateur hacker who called himself the Bitcoin Baron was arrested, fined and jailed. Although his skills were rudimentary, he had terrorised US towns for several years, crashing the Web sites of official institutions and demanding ransoms. One incident saw his actions seriously hindering emergency response services.

The Bitcoin Baron attempted to paint himself as a cyber activist, but his behaviour belied that, particularly as he claimed he attempted to bring down the site of a children's hospital by flooding it with child pornography.

Have your say
Facebook icon
Youtube play icon