Netscout observed a record 10 million dedicated denial of service (DDos) attacks in the second half of 2020, and the lessons it distilled from the resulting data are pretty bleak: Even as the world grappled with the impacts of a global pandemic, cybercriminals were taking advantage of end users without enterprise-grade security and targeting online services that people were depending on, such as e-commerce, online learning, streaming services and healthcare.
Netscout reported a “huge upsurge in distributed denial-of-service (DDoS) attacks, brute-forcing of access credentials, and malware targeting of internet-connected devices. … We observed multiple record-breaking events: the most DDoS attacks launched in a single month (929K), the most DDoS attacks in a single year (more than 10 million), and monthly DDoS attack numbers that regularly exceed the 2019 averages by 100,000 to 150,000 attacks.”
“The COVID-19 pandemic was the clear catalyst for this year’s unprecedented DDoS attack activity,” according to the report. “Vital pandemic industries such as ecommerce, streaming services, online learning, and healthcare all experienced increased attention from malicious actors targeting the very online services essential to remote work and online life.”
“Cybercriminals set multiple records in 2020, taking advantage of the shift towards remote work across the globe,” said Richard Hummel, threat intelligence lead at Netscout Systems. “The second half of last year witnessed a huge upsurge in DDoS attacks, brute-forcing of access credentials, and malware targeting internet-connected devices. As the COVID-19 pandemic continues, it will be imperative for security professionals to remain vigilant to protect critical infrastructure.”
“Cybercriminals exploited vulnerabilities exposed by massive internet usage shifts since many users were no longer protected by enterprise-grade security,” Netscout concluded.
The number of enterprise respondents reporting DDoS extortion attacks increased by 125%, Netscout said. Meanwhile, the very tools that enterprises needed more than ever during the pandemic — firewalls and virtual private network concentrators — became overloaded and contributed to outages in 83% of the enterprises that suffered DDoS attacks. That’s a 21% increase over conditions in 2019.
The highest number of observed DDoS attacks in a month — 929,000 in May — far outpaced the highest monthly number in the six months prior, which was 732,000 attacks in December 2019, reflecting a “new normal” in attack levels, the company said.
In particular, Netscout noted the activities of the threat actor Lazarus Bear Armada (LBA), saying that LBA launched “one of the most sustained and extensive DDoS extortion campaigns yet seen” and that its work “was likely … influenced by the exigencies of the pandemic: the group’s victims included businesses involved in COVID-19 testing and vaccine development—enticing targets given their combination of both deep pockets and urgent deadlines.” In its debut attack, LBA’s DDoS extortion attacks took down the New Zealand stock exchange. LBA broadened its targets from there and sought to disrupt operations of a wide range of enterprises (financial services, healthcare, ISPs, manufacturing and others) by targeting VPNs, firewalls and cloud-based tools that were needed by employees working from home.
In addition, the work-learn-and-live-from-home shift also provided more fodder for botnets, as people leaned more heavily on consumer-grade devices. “A surge in brute-forcing and malware samples circulating in the wild paints a very clear picture, with adversaries attempting to absorb more devices into their botnets to further strengthen the frequency, size, and throughput of DDoS attacks worldwide,” Netscout said.
Netscout’s Threat Intelligence Report from the second half of 2020 can be accessed here.