Hyland 160x1200

Hyland 160x1200

Hyland 705x108

Thursday, 16 June 2022 12:48

Q1 DDoS and application attack activity reveals surprise result

By Pascal Geenens, director, threat intelligence for Radware
Radware director of threat intelligence Pascal Geenens Radware director of threat intelligence Pascal Geenens

GUEST RESEARCH: The cybersecurity threat landscape in the first quarter of 2022 represented a mix bag of old enemies and new foes. New actors dominated the DDoS threat landscape while application security faced tried-and-true attack vectors.

These attacks were largely driven by a threat landscape turbocharged by geopolitical instability, hacktivists, nation-state threat actors, and a focus on exploiting newly discovered vulnerabilities.

A detailed analysis of real-world network and application attack activity from the first quarter of 2022 can be found here. The highlights below reveal some surprising results.

DDoS attack trends

In DDoS, the number of micro floods increased by 125% in the first quarter of 2022 versus the fourth quarter of 2021. Micro floods are low throughput attack vectors with throughputs below 1Gbps but above 10Mbps.

Typically they fly under the radar and cannot be detected using traditional algorithms or techniques that spot larger throughput attack vectors based solely on thresholds.

By combining a large number of micro floods or adding micro floods to a mix of mid-sized and large attack vectors, attackers can significantly increase the complexity of their attack campaigns. Attackers can make mitigation harder by forcing mitigators to constantly adapt their policies.

Additionally, the number of blocked malicious events (per customer) rose nearly 75% compared to the first quarter of 2021. However, overall blocked volumes (in TBs) decreased dramatically.

The education and telecommunication sectors took the brunt of DDoS attacks, representing 67% of DDoS attack volume in the first three months of 2022, while the Americas represented over half of DDoS attack volumes during the same time period.

Application attack trends

In terms of application attack activity, malicious bot activity increased dramatically. Bad bot transactions increased by 126% in the first quarter of 2022 versus the first quarter of 2021.

Cross referencing application attack data against the OWASP Top 10 application security violations shows that Broken Access Control (A01 in OWASP 2021) represented over half of all blocked security violations during the first quarter of 2022.

High tech (31%) and the retail sector (27%) faced the majority of application attacks during the first quarter of 2022. Telecommunications/carriers finished in third place at 21%.

Lastly, predictable resource location, code injections and SQL injections were fan favorites of threat actors, and represented the top three application violations, respectively, in the first quarter of 2022.

DDoS and application threat landscape analysis

The first quarter of 2022 was marked by geopolitical, hacktivist denial-of-service, and nation-state vulnerability-focused cyberactivity.

Following the invasion of Ukraine and the escalation of hybrid warfare, my company monitored an increase in denial-of-service attacks targeting both the Russian and Ukrainian governments and associated financial institutions. The increase in denial-of-service activity was driven mostly by patriotic hacktivism from pro-Ukrainian and pro-Russian activists.

The IT Army of Ukraine brought hacking to the masses, including teens, via gamification of denial-of-service attacks. This included the playforukraine[.]info website, where in-game achievements are Russian websites you helped disrupt while playing.

WordPress websites were breached and injected with malicious code to perform denial-of-service attacks against Ukrainian targets upon loading the webpage. Any visitor of the breached WordPress sites became a bot, performing application-level, denial-of-service attacks that were targeted at a list of websites curated by the authors of the malicious code.

In an act of protest against the invasion of Ukraine, the maintainer of a popular Node.js module called 'node-ipc', deliberately sabotaged his module. The module, providing local and remote inter process communication (IPC), is leveraged by many neural network and machine-learning tools.

The developer altered his code to deliberately corrupt files on systems running applications that depend on the node-ipc module, but only if the systems were geolocated in either Russia or Belarus.

The decentralised finance (DeFi) sector became a prime target for attacks. Crypto exchanges faced denial-of-service attacks following their ban of Russian citizens. Crypto exchanges were also the target of financially motivated attacks by North Korean state-sponsored threat actors.

A new vulnerability was discovered in the Java Spring framework, a popular framework for building online applications. Following its public disclosure at the end of March after a Chinese researcher published a proof-of-concept on Github, Spring4shell was quickly exploited and required businesses to quickly patch applications leveraging the Java Spring framework.

OpIsrael, a yearly operation targeting Israelian businesses and citizens, was nearly non-existent this year due to Anonymous' focus on the Russian/Ukrainian conflict.

OpsBedil, a hacktivist operation targeting Middle Eastern organizations in 2021, returned this year. OpsBedil is considered the replacement for the now-defunct OpIsrael operations. The new OpsBedil operations were conducted by DragonForce Malaysia and its affiliates throughout Southeast Asia, specifically Malaysia and Indonesia.

The current operation, OpsBedilReloaded, is considered a political response to events that occurred in Israel on April 11, 2022. During OpsBedilReloaded, hacktivists executed website defacements, sensitive data leaks and denial-of-service attacks. Based on previous OpsBedil TTPs, attack campaigns can be expected to run through April, May and potentially into the June/July timeframe.

Hacktivist campaigns like OpsBedil, while nowhere close to as notorious as OpIsrael once was, present a renewed level of risk for the region. Unlike Anonymous, DragonForce Malaysia and its affiliates have the time, the resources and the motivation to execute these attacks and present a moderate-level threat to Israel.

For more data on first quarter network and application attack activity, visit our digital hub.

Read 1701 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments