By Philippe Alcoy, Security Technologies for NETSCOUT
The Covid-19 pandemic has presented a fantastic opportunity for cybercriminals. With internet usage figures increasing significantly, following the imposition of lockdown measures throughout the world, threat actors pounced.
NETSCOUT’s recently published Threat Intelligence Report – which details the activities and trends in the DDoS threat landscape for the second half of 2020 – discovered that, collectively, cybercriminals launched over 10 million Distributed Denial-of-Service (DDoS) attacks last year for the first time in history. There was a 22 per cent increase in attack frequency from 2019 to 2020 (1.6 million more DDoS attacks in 2020) along with a 22 per cent increase in the final six months of 2020 – a clear indication of cybercriminals taking advantage of the challenging circumstances presented by the global health crisis.
Mostly, the aim of the threat actors behind these DDoS attacks was to cripple Covid-era lifelines and industries that relied heavily on online services such as healthcare, online education, streaming platforms and e-commerce, which led to these industries being heavily targeted by cyberattacks compared to previous years.
However, it was the finance industry that really felt the brunt of threat actors’ DDoS attacks, receiving a disproportionate number of them during the last six months of 2020. Organisations that operate within this sector are a prime target as they are perceived to have access to vast amounts of money, as well as large swathes of private data. High-profile examples of DDoS attacks against the financial sector include the DDoS extortion attack that hit the New Zealand stock exchange in August 2020, as well as the powerful DDoS attack that disrupted a number of Hungarian banking and telecommunication services in September 2020.
Types of DDoS attacks
DDoS attacks are designed to overwhelm targeted systems in an attempt to cause maximum disruption and to shut down services. This is done by flooding the targeted network, application, or service with internet traffic, and prevent genuine users from accessing the system they wish to access. Nevertheless, it is worth noting that there are a number of different forms of DDoS attacks.
One example that has focused on organisations within the finance industry in particular is a DDoS extortion attack. This involves the threat actor launching a demonstration DDoS attack against elements of an organisation’s online infrastructure. After this, the attacker sends an email to the targeted business threatening to launch a full-on DDoS attack if a ransom demand is not met within a certain period of time. These demands call for payment in the form of cryptocurrency in order to avoid being traced by law enforcement authorities.
In August 2020, a global campaign of DDoS extortion attacks was launched by a group of cybercriminals. The threat actors behind the campaign claim to be affiliated with attack groups who are well known within industry media, such as ‘Lazarus Group’, ‘Fancy Bear’, and ‘Armada Collective’. This is done in an attempt to boost the attackers’ credibility and scare their targets in order to make them pay up. NETSCOUT has assigned the moniker ‘Lazarus Bear Armada’ (LBA) to the attackers. The first attack launched by the group targeted the New Zealand stock exchange and knocked the system offline for two days in a row, preventing trading from taking place.
Following the group’s debut attack on the New Zealand stock exchange, the adversaries have gone on to target exchanges, banks and other financial institutions in addition to internet services providers, healthcare organisations and large technology firms. As a result of the LBA DDoS extortion campaign, the Worldwide Infrastructure Security Report (WISR) revealed that the number of DDoS extortion attacks increased by around 125 per cent from 2019 to 2020. These types of attacks can cause financial institutions to lose lots of money, even if the organisation does not pay the ransom, as the DDoS attack leads to downtime for parts of the organisation.
Another type of DDoS attack that has been used against organisations in the financial sector is a reflection/amplification attack. This type of attack enables threat actors to generate high-volume attacks through a combination of reflection and amplification attacks. By using this attack method, cybercriminals can magnify the volume of malicious traffic they’re capable of generating while at the same time concealing the sources of the attack traffic.
What makes this type of DDoS attack such a threat to businesses that operate in the financial sector is that there is nothing out of the ordinary about the devices and servers that are used to launch these types of attacks. Consumer devices and ordinary servers, which display no evidence of having been compromised, are capable of initiating reflection/amplification DDoS attacks. Further to this, sophisticated tools are not required when it comes to launching a reflection/amplification attack. This means that cybercriminals can create huge volumetric attacks by using just one robust server or a modest source of bots. As such, this makes it challenging to prevent these forms of DDoS attacks.
How can organisations in the finance industry defend themselves?
The best defence against DDoS extortion attacks, reflection/amplification attacks and other types of DDoS attacks is to install a strong DDoS defence system. Financial institutions that have adequately prepared to defend their online infrastructure by putting in place an effective DDoS mitigation system have experienced little to no issues relating to DDoS attacks. For example, even though the threat actors behind the ongoing DDoS extortion campaign have conducted pre-attack reconnaissance, the DDoS attacks that the group have launched have been easily mitigated by financial institutions that use standard DDoS protection services. When it comes to DDoS extortion attacks, it is much more preferable for financial organisations to put their money towards installing a strong DDoS mitigation service than paying the ransom. It is also important for financial institutions to semi-regularly test their DDoS mitigation services. This ensures that any changes to an organisation’s online infrastructure are incorporated into its DDoS defence plan.
In addition to this, it is vital that organisations in the finance industry know who to contact and notify should they be on the receiving end of a DDoS attack. Key stakeholders, local and national regulators and security providers should all be contacted in the event of a DDoS attack. Moreover, financial institutions should familiarise themselves with the details of high-profile DDoS attacks and DDoS attack campaigns to enable themselves to better prepare for potential future threats. For example, there are obvious similarities between the ongoing DDoS extortion campaign and the DD4BC (‘DDoS for Bitcoin’) series of attacks that occurred from 2014-2016, with both campaigns targeting the financial sector.
Although a DDoS attack can have a catastrophic impact on financial organisations, the damage caused by the attack can be kept to a minimum providing financial institutions have installed a strong and effective DDoS mitigation system in addition to having an appropriate plan of action in place, in the event that they’re hit by a DDoS attack.