2021 was a whirlwind of a year for the security industry. In addition to the still ongoing COVID pandemic, threat actors have continued to evolve at an alarming rate throughout the year, pushing the boundaries of the current landscape to new limits and leaving many wondering if we as an industry can keep up with the growing and ever more resourced criminal complex.
We saw criminal enforcement and offensive operations launched with minimal success throughout last year. We have also seen threat actors learn from prior mistakes and become less active on major social media platforms. There were also notable advancements in the Ransom Denial of Service landscape and a growing partnership between Ransomware operators and DDoS operators. And as always, we saw new DDoS records set this year.
Enforcement in 2021
This year, when it comes to Denial of Service, law enforcement and offensive-based operations against threat actors have had a minimal impact on the DDoS threat landscape. For example, this year, the Secret Service of Ukraine (SSU) arrested a man for creating and running a botnet with over 100,000 infected nodes. The Dutch Police sent out notification letters to 29 Dutch residence warning that they had been identified as users of a DDoS-for-Hire service. And the United States Department of Justice charged a Turkish national for conducting DDoS attacks via an Android smartphone-based botnet, WireX.
In general, one would think that police enforcement and offensive-based operations would be enough of a deterrent to slow the rising tide of DDoS operators, but they would be wrong. In Q3 2021, Radware reported that we had mitigated 75% more DDoS attacks in the first nine months of 2021 than in 2020. This was expected though, as our researchers in 2020 noted a rise in DDoS-for-Hire services during the beginning of the pandemic, despite the numerous attempts by law enforcement to prevent the growth of the DDoS threat landscape the year prior.
At the core, the issue is profit. There is too much money on the table for threat actors to walk away from the DDoS landscape at this point. Today, when a DDoS operator is removed from the threat landscape, other operators simply take their place.
Staying Below the Radar
For those not motivated by profit, mainly hacktivists, there have been a few lessons learned from the past as new groups begin to change their procedures in 2021. For example, threat group DragonForce, who carried out several cyber-attacks against Israel in the spring and summer of 2021, has moved away from conventional media platforms and created their forum to conduct their operations.
This was an interesting shift this year, but one that was expected. At the beginning of 2021, even the criminal underground began experiencing difficulties dealing with brazen ransomware operators and affiliates who openly conducted business on public forums, similar to when hacktivists organized and conducted DDoS campaigns on social media platforms. As a result, threat actors were censored or banned from those malicious forums.
It seems that hacktivist groups in 2021 are learning how to withdraw from the public eye, self-govern and run their platforms below the radar without fear of being de-hosted. As a result, these lessons learned will make it more difficult for an analyst to track threat actors as conversations move away from one centralized platform to end up on multiple, unknown, specialized forum locations across the internet.
RDoS on the Rise
At the beginning of 2021, Radware published an alert about a Ransom Denial of Service (RDoS) group circling back to previous victims who were targeted during the summer of 2020. In the new RDoS letters, the group stated that the targeted organizations did not respond to or pay the ransom demand from the original campaign in August of 2020 and subsequently would be targeted by a DDoS attack if they were not paid.
While this event was notable, it was just the beginning of what would become an impressive year when it came down to RDoS attacks. In June 2021, during a Radware Threat Research Live episode, while discussing the Fake DarkSide campaign targeting the Energy and Food sector, I had predicted that we would soon see RDoS groups leveraging the names of ransomware groups. Three months later, a wave of RDoS attacks began targeting VoIP providers. Specifically, during the attack on VoIP.ms, the threat actors called themselves REvil, a notorious ransomware group that had just returned to the threat landscape after completely disappearing following the Kaseya VSA ransomware attack.
The greater RDoS campaigns target multiple VoIP providers such as VoIP.ms, Voipfone, VoIP Unlimited, and Bandwidth.com sparked concern as critical infrastructure was impacted, resulting in an industry-wide warning from Comms Council UK, stating that there was currently a “coordinated extortion-focused international campaign by professional cyber criminals” targeting IP-based communication services providers during the month of October. And while generally in the past RDoS attacks have been considered a low tier threat that’s easy to mitigate, one of the victims, Bandwidth.com, is expected to lose up to $12 million following a DDoS extortion attempt they faced as a result of service downtime. Signaling that RDoS threats are evolving.
A third significant wave of RDoS attacks was also observed at the end of the year, during the same time as the VoIP industry was under attack. This event was an RDoS campaign targeting multiple email providers such as Runbox, Posteo, and Fastmail. One of the more notable observations from this campaign was that the group calling themselves the ‘Cursed Patriarch’ was demanding around $4,000. Similar to the amount requested during the RDoS campaigns that originally targeted email providers back in 2015.
Going into 2022, I expect the RDoS landscape to continue evolving and eventually merge with the greater ransomware threat landscape.
Combining Forces; Ransomware + DDoS
If you are currently sitting there asking yourself, what is the difference between Ransomware and an RDoS attack? Don’t worry. It can get confusing. Luckily, Radware’s Director of Threat Intelligence, Pascal Geenens, recently wrote a blog about the difference between the two. To recap, Ransomware attacks leverage a crypto-locking malware that destroys systems and makes data inaccessible until a ransom has been paid. An RDoS attack is a bit different. An RDoS attack leverages a Denial of Service attack to cause service degradation or network outages to extort their victims.
The problem? Ransomware operators are now starting to employ DDoS operators as part of what is now known as triple extortion. A single extortion ransomware attack is just the encryption of data on the targeted device. A double extortion ransomware attack involves the exfiltration of the encrypted data with the threat of publication if a ransom demand is not paid. Triple extortion is when a Ransomware operator uses Denial of Service attacks against the targeted network to bring negotiators back to the table. In 2020 Ransomware operators such as SunCrypt and RagnarLocker used Denial of Service attacks during negotiations. In 2021 we have seen the addition of Avaddon, Darkside, Yanluowang, and HelloKitty using Denial of Service attacks during their ransomware campaigns.
In the world of DDoS botnets, there have been a few significant takedowns and developments across the threat landscape this year. For example, at the beginning of 2021, many IoT researchers intently followed the developments related to a P2P botnet known as Mozi. 360 Netlab was the first to disclose the botnet back in 2019; the botnet had since grown from a small botnet to an advanced, multi-module threat. But in the summer of 2021, 360 Netlab announced that Mozi was dead due to the operator’s arrest in China. While this is great news, most realize how long it will take for this botnet to truly die. While it will no longer receive updates, it will continue spreading for some time because of its architecture and design. Similar to the longtail of the XTC/Hoaxcall botnet, it will likely take years to disappear. Unfortunately, you cannot take something like a P2P botnet down in a single action. The only way this botnet will officially die and disappear is when targeted network devices are all rebooted, updated, or replaced.
Another botnet that gained significant attention throughout 2021 was the Manga/Dark.IoT botnet. This botnet was also observed by Juniper and Palo Alto Networks throughout the year. The Mange/Dark.IoT botnet revealed nothing extraordinary when analyzed. It’s a typical Mirai-based IoT botnet that sticks to its primary threat vector, DDoS attacks, and does not diversify its operations to mining crypto or data theft. The one thing that stood out to the security industry about this threat was the operator’s ability to quickly evolve and expand their botnets capabilities by incorporating recently disclosed exploits into their arsenal. For example, In March 2021, Unit42 researchers at Palo Alto Networks reported that the operators behind this botnet leveraged CVE-2021-27561 and CVE-2021-27562 within hours of the vulnerability being disclosed.
The Manga/Dark.IoT campaign this year also provided researchers with several opportunities to explore the trials and errors threat actors face while building and developing a DDoS botnet. One of the most challenging aspects of building a largescale botnet is competing with other threat actors for vulnerable resources. Those that cannot develop or discover exploits rely on public disclosure. Once a PoC is posted, it is a race to be the first to leverage the exploit and gather as many vulnerable devices as possible. This process is trial and error, and some threat actors do not always solve how to properly leverage the vulnerabilities, while those who do might discover the attempt was not worth their time and effort. In 2021 the operators behind the Manga/Dark.IoT botnets have leveraged nearly two dozen exploits. More recently, in December 2021, the botnet was seen targeting TP-Link routers.
Notable DDoS Attacks
To be honest, I’m shocked that no one has claimed any of these record-breaking DDoS attacks that I’m about to cover. It wasn’t long ago that hacktivist and DDoS’ers quickly claimed their attacks, or the attacks of others…, on social media. But today, mums seem to be the word with threat actors. We have continuously seen record-breaking DDoS attacks after another this year without a peep from the underground. In some events, Ransomware operators such as Lockbit have taken to underground forums to ask who launched an attack and if their botnet or services were available. With this new silent treatment, it has become increasingly more challenging to track criminal activity, but one thing is clear, the bad guys do have larger DDoS cannons nowadays.
For example, in August 2021, Cloudflare reported detecting a world record, 17.2Mrps, million requests per second, attack that originated from 20,000 bots based in 125 countries. Less than a month later, Qrator reported detecting a similar record-breaking attack that produced 21.8Mrps from nearly 56,000 MikroTik devices. These massive DDoS attacks only lasted for roughly 60 seconds, leaving many researchers wondering who and what was behind these attacks.
As early reports have indicated, Meris is believed to be responsible for these two attacks. Meris is reported to be a large-scale IoT botnet that leverages compromised MikroTik routers and HTTP pipelining to launch short but large-scale volumetric DDoS attacks through a network of SOCKS proxies.
A month after the original Meris attacks, Microsoft reported that they had detected and mitigated a 2.4Tbps, Terabits per second, DDoS attack targeting an Azure customer in Europe. The attack source was said to originate from nearly 70,000 bots from multiple countries in the Asia-Pacific region, similar to the Meris reports. As with the other attacks, this one was also short-lived, with its main burst lasting only 60 seconds.
While there are still questions remaining about Meris and its origin, these attacks do highlight the growing and ever evolving threat landscape around DDoS attacks. Going into 2022, I predict we will see the progression and evolution of the threat landscape resulting in more significant DDoS attacks as threat actors learn to maximize their bot’s resources and while staying silent about their work.
Looking beyond Meris and all the other advancements this year, we can see going into 2022 that DDoS attacks will never disappear from the threat landscape. While many will discount the threat as trivial or the actors as low-level skids, they will quickly discover in the new year that attacks do not have to be complex to be effective.
Going forward in 2022, I hope that things begin to normalize for society but in reality, we need to begin preparing for a totally remote and digitally dependent future. To support this future, governments around the world in partnership with the greater security complex, need to find a better way to successfully counter threat actors and learn how to control the threat landscape. Only then will we be able to keep up with a well-resourced enemy.