Staying ahead of DDoS’ Recent Comeback

The problem of Distributed Denial of Service (DDoS) has been around for quite some time. Most might have first become aware of it's potential when Anonymous leverages it against Middle-Eastern governments in the late-2000s. Indeed, most people in cybersecurity might think, “DDoS, that’s so 2015.” But that is precisely the problem. Most organisations have not taken the time to understand the threat of DDoS, assuming that various anti-DDoS services would be sufficient to deal with an attack. As we are seeing now, DDoS attacks have become more sophisticated and much larger.

Is DDoS making a comeback?

DDoS attacks started making a comeback in late-2020, when threat actors calling themselves Fancy Lazarus started making extortion demands against victims. While their attacks weren’t spectacular, they were significant enough to do damage, including taking down the New Zealand Stock Exchange. While DDoS continued to fly under the radar, it created a significant headache for many organisations. It was common to see cybersecurity experts dismissing downtime as “oh, it was only DDoS,” as if that should have made the victims dealing with lost revenue, added costs, and reputational damage feel better. Not to mention the threat actors who have been using DDoS as a cover for other types of cyberattacks.?

Reignition sparked by Russia’s invasion of Ukraine?

Since the start of Russia’s invasion of Ukraine, DDoS attacks have reached a new and increasing level. Recent DDoS attacks have targeted Ukraine and Ukrainian allies, going after sectors including Travel and Finance, such as the European Investment Bank (EIB). In the EIB incident, the supposed-hacktivist group Anonymous Sudan (aka Storm-1359) claimed responsibility for taking their primary website offline on 19 June. This follows a string of other DDoS attacks by Anonymous Sudan, with targets including Microsoft’s Outlook on 7 June, OneDrive on 8 June, and Azure on 9 June.

Who is really behind the recent DDoS attacks?

While many of the attacks are carried out by self-proclaimed hacktivist organisations, analysts largely believe that these groups are state-aligned and likely not hacktivist groups. For example, while Anonymous Sudan appears as a group of religiously and politically-motivated hacktivists from Sudan targeting countries for anti-Sudan or anti-Islamic activity, they are openly affiliated with Russia’s KillNet “hacktivist” group. KillNet have been active in targeting Ukraine and pro-Ukrainian organisations since Russia invaded Ukraine in February 2022. CyberCX provides a thorough assessment with evidence whose “findings indicate that Anonymous Sudan is unlikely to be an authentic hacktivist actor, as it claims, and instead may be affiliated with the Russian state.” (see sources).?

There is no reason to believe attacks from actors such as Anonymous Sudan will tamper off. Indications point to the opposite for at least the next 3-6 months. While there’s no need to panic, DDoS attacks won’t bring an end to our humanity (we have ChatGPT for that), we at Venation recommend preparing for the increased level of DDoS activity using a scenario-based approach.

The good news (and recent DDoS TTPs)

The good news is that the DDoS attacks we are seeing today, including Anonymous Sudan’s attacks, while more substantial than those of a few years ago, are not really novel in their techniques. According to Microsoft, they launched several types of layer 7 DDoS attacks including HTTP(S) flood attacks (exhaust system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing), Cache bypass (attempts to bypass the CDN layer and can result in overloading the origin servers), and Slowloris (requests a resource [e.g., an image], and fails to acknowledge the download, forcing the web server to keep the connection open and the requested resource in memory).?In most, if not all cases, the actors leveraged their botnet to initiate the activities.

As these types of DDoS attack are not revolutionary, you can prepare for them by using threat scenarios tailored to different types of DDoS activity. A threat scenario will give you the information required to understand a DDoS attack chain, relevant TTPs (tactics, techniques, and procedures), active threat actors in this space, and the steps clearly laid out so you can conduct a tabletop exercise with your team. To dive deeper into the benefits of a scenario-based approach, see Venation’s previous blog post “Preparing for software supply-chain threats using a scenario-based approach.”

Preparation through a scenario-based approach?

Paying attention to threat landscape trends, we produced a threat scenario on DDoS attacks in December 2022 that we’ve continuously updated since then. Currently, the dominant threat actors on the DDoS scene aren’t ransomware groups but Russian hacktivist with state-connections (or direct state-sponsorship). With this comes access to resources and the backing (sometimes, the orders) to maintain DDoS activity beyond what a typical Anonymous-type collection could sustain. Moreover, multi-vector DDoS attacks are an area where threat actors are innovating and all of this is underpinned by the increasing proliferation of Internet-of-Things devices. We don’t mean to spread FUD (fear, uncertainty, and doubt) but to highlight some of the key trends to be aware of to make informed decisions about defence posture.?

In our threat scenario, we detailed the likely attack chains of threat actors deploying UDP flood attacks, SYN flood attacks, and HTTP GET attacks. Interested in reading more? The Venation DDoS Threat Scenario is now available in our Venation content platform.

Interested in more relevant content on the topic? Here's some links to articles from authors we respect and appreciate:

• https://flashpoint.io/blog/killnet/?utm_campaign=FLINT_Newsletter&utm_source=linkedin&utm_medium=social
• https://www.bleepingcomputer.com/news/microsoft/microsoft-onedrive-down-worldwide-following-claims-of-ddos-attacks/
• https://www.scmagazine.com/brief/email-security/anonymous-sudan-claims-ddos-attacks-against-microsoft-outlook?
• https://www.radware.com/cyberpedia/ddos-attacks/anonymous-sudan/?
• https://blog.cyble.com/2023/06/07/anonymous-sudan-launches-fresh-wave-of-ddos-attacks-on-american-organizations-including-microsoft/?
• https://socradar.io/dark-web-profile-killnet-anonymous-sudan/?
• https://www.digit.fyi/anonymous-sudan-and-killnet-strike-again-target-eib/?
• https://www.digit.fyi/microsoft-confirms-outages-were-caused-by-ddos-attack/?
• https://msrc.microsoft.com/blog/2023/06/microsoft-response-to-layer-7-distributed-denial-of-service-ddos-attacks/?
• https://www.scmagazine.com/news/cybercrime/hacktivist-anonymous-sudan-bear-wolf?
• https://cybercx.com.au/a-bear-in-wolfs-clothing/?
• https://flashpoint.io/blog/anonymous-sudan-ddos-timeline/?

In digital security, a lot of time is wasted on understanding the biggest threats to an organisation. Current solutions provide too much information, raising more questions than answers, necessitating excess manual analysis, and leaving responders with little time to act.

Venation empowers heroes at the front line of cyber security in radically improving their productivity. We drive this change through developing products and services that reduce time spend identifying, prioritizing, and taking action on digital threats. We exist to make prioritising security investments as efficient as possible.

#threatlandscaping #cyberthreatintelligence #cybersecurity #storytelling #threatintelligence #threatscenarios #riskscenarios #riskmanagement #DDOS #distributeddenialofservice