Results about cyberattack activity from Q3 are in and right off the bat we noticed more DDoS attacks were blocked during first nine months of 2021 than all of 2020. During the third quarter, DDoS records for large volumetric attacks were broken across three continents. At the same time, phantom floods, or micro attacks that typically fly below radar, increased.
The reality is organizations need more granular detection and multi-layer defenses to protect against today’s stealthier and more complex DDoS attacks. Something important to note is a single quarter is not an indicator of a trend. The data from the full report analyzes DDoS attacks, network and application attack activity sourced from Radware’s cloud and managed services and Radware’s Global Deception Network and what we’ll lightly touch on in this post.
The most attacked industry in the third quarter was technology, with an average of 2,638 attacks per company, followed by healthcare (1,785 attacks per company), communications (1,525 attacks per company) and finance (1,337 attacks per company). Although the total number of events for the third quarter was slightly below previous quarters in 2021, the number stayed above the highest quarterly level recorded in 2020. To take it a step further the total volume blocked in the first three quarters of 2021 was 44% higher than the same period in 2020.
So why did we see a dip in Q3? The attackers changed their tactics from saturation-based floods to server resource–consuming, application-level attacks.
Q3 was not without its share of record DDoS attacks, in September a threat actor known as ReVil wreaked havoc on Service Providers in the UK and Canada with colossal high ransom demands.
Web Application Attacks Doubled
Banking and finance were hit the hardest and accounted for almost 23% of all blocked web application security events. To break it down further Government (16%), technology (15%) and retail (12%) were among the most attacked industries.
Web application attacks doubled every quarter this year; predictable resource location was witnessed twice as often as SQL injection followed by code injection attacks and cross-site scripting attacks.
Unsolicited Network Scanning and Attack Activity Surges
Network scanning and attack activity was marked by opportunistic and random scanning that constitutes a large part of the vulnerability and exploit threat landscape. Malicious actors continuously leverage old and freshly disclosed vulnerabilities such as remote command execution and command injection exploits that are easy to integrate into existing malware and exploit tools. Along with the evolution in cloud resources and services, there is no more hiding on the internet. Every deep corner of the internet gets inventoried in convenient IoT search engines.
In Q3, unsolicited scanning activity peaked at 27 million events per day, representing the second highest level during 2021. The most scanned and attacked TCP services are SSH followed by VNC and RDP.
To Sum it All Up
Attacks did not regress, and overall volumes were not great. This can be partly explained by the shift to more insidious and application-level attacks. For their ransom campaigns, actors favored targets that were not immune to their assaults. Does this mean they’re becoming more selective? Radware raised this point earlier in the year, when it reported ransom DoS attacks on targets that were not protected by always-on cloud solutions. The record large-scale DDoS attacks were hit-and-run assaults. These might have been tests of capability or probing the protections of certain providers, or even a demonstration of capabilities and a precursor of what is yet to come. Chatter on underground forums and theories being discussed by the media do not provide a clear understanding of the objectives and tools leveraged by the actors behind those colossal assaults.
Regarding web application attacks, the number of blocked web application security events has doubled almost every quarter this year. Q3 accounts for 2.1 million blocked application security events per customer, or an average of 700,000 blocked security events per month per customer. Almost half of the web application attacks were predictable resource location attacks. The second top security violation blocked by our web application security services was SQL injection attacks, followed by code injection attacks and cross-site scripting attacks. The top violations reported in Q3 are aligned with the top web application security risks published by the OWASP Foundation in their 2017 and 2021 OWASP Top 10 lists.
Finally, network scanning and attack activity was marked by opportunistic and random scanning that constitutes a large part of the vulnerability and exploit threat landscape. Malicious actors continuously leverage old and freshly disclosed vulnerabilities such as remote command execution and command injection exploits that are easy to integrate into existing malware and exploit tools. The objectives behind the attack activity are governed by cryptojacking, discovery of amplification and reflection services for volumetric DDoS attacks, acquiring a foothold to perform lateral movement and privilege escalation and ultimately drop backdoors or ransomware. They are also able to abuse services and devices as jump hosts or anonymous proxy and port forwarders for targeted attacks
For a full dissection of last quarter’s threat landscape download the full report for free here.