Q1 DDoS and application attack activity reveals surprise result
Article by Radware director of threat intelligence, Pascal Geenens.
The cybersecurity threat landscape in the first quarter of 2022 represented a mixed bag of old enemies and new foes. New actors dominated the DDoS threat landscape while application security faced tried-and-true attack vectors.
These attacks were largely driven by a threat landscape turbocharged by geopolitical instability, hacktivists, nation-state threat actors, and a focus on exploiting newly discovered vulnerabilities.
A detailed analysis of real-world network and application attack activity from the first quarter of 2022 revealed some surprising results.
DDoS attack trends
In DDoS, micro floods increased by 125% in the first quarter of 2022 versus the fourth quarter of 2021. Micro floods are low throughput attack vectors with throughputs below 1Gbps but above 10Mbps.
Typically they fly under the radar and cannot be detected using traditional algorithms or techniques that spot larger throughput attack vectors based solely on thresholds.
By combining a large number of micro floods or adding micro floods to a mix of mid-sized and large attack vectors, attackers can significantly increase the complexity of their attack campaigns. Attackers can make mitigation harder by forcing mitigators to constantly adapt their policies.
Additionally, the number of blocked malicious events (per customer) rose nearly 75% compared to the first quarter of 2021. However, overall blocked volumes (in TBs) decreased dramatically.
The education and telecommunication sectors took the brunt of DDoS attacks, representing 67% of DDoS attack volume in the first three months of 2022, while the Americas represented over half of DDoS attack volumes during the same period.
Application attack trends
In terms of application attack activity, malicious bot activity increased dramatically. Bad bot transactions increased by 126% in the first quarter of 2022 versus the first quarter of 2021.
Cross-referencing application attack data against the OWASP Top 10 application security violations shows that Broken Access Control (A01 in OWASP 2021) represented over half of all blocked security violations during the first quarter of 2022.
High tech (31%) and the retail sector (27%) faced the majority of application attacks during the first quarter of 2022. Telecommunications/carriers finished in third place at 21%.
Lastly, predictable resource location, code injections and SQL injections were fan favourites of threat actors and represented the top three application violations, respectively, in the first quarter of 2022.
DDoS and application threat landscape analysis
The first quarter of 2022 was marked by geopolitical, hacktivist denial-of-service, and nation-state vulnerability-focused cyber activity.
Following the invasion of Ukraine and the escalation of hybrid warfare, my company monitored an increase in denial-of-service attacks targeting both the Russian and Ukrainian governments and associated financial institutions. The increase in denial-of-service activity was driven mostly by patriotic hacktivism from pro-Ukrainian and pro-Russian activists.
The IT Army of Ukraine brought hacking to the masses, including teens, via gamification of denial-of-service attacks. This included the playforukraine[.]info website, where in-game achievements are Russian websites you helped disrupt while playing.
WordPress websites were breached and injected with malicious code to perform denial-of-service attacks against Ukrainian targets upon loading the webpage. Any visitor of the breached WordPress sites became a bot, performing application-level, denial-of-service attacks targeted at a list of websites curated by the authors of the malicious code.
In an act of protest against the invasion of Ukraine, the maintainer of a popular Node.js module called ‘node-ipc’, deliberately sabotaged his module. The module, providing local and remote inter-process communication (IPC), is leveraged by many neural network and machine-learning tools.
The developer altered his code to deliberately corrupt files on systems running applications that depend on the node-ipc module, but only if the systems were geolocated in either Russia or Belarus.
The decentralised finance (DeFi) sector became a prime target for attacks. Crypto exchanges faced denial-of-service attacks following their ban of Russian citizens. Crypto exchanges were also the target of financially motivated attacks by North Korean state-sponsored threat actors.
A new vulnerability was discovered in the Java Spring framework, a popular framework for building online applications. Following its public disclosure at the end of March, after a Chinese researcher published a proof-of-concept on Github, Spring4shell was quickly exploited and required businesses to quickly patch applications leveraging the Java Spring framework.
OpIsrael, a yearly operation targeting Israelian businesses and citizens, was nearly non-existent this year due to Anonymous’ focus on the Russian/Ukrainian conflict.
OpsBedil, a hacktivist operation targeting Middle Eastern organisations in 2021, returned this year. OpsBedil is considered the replacement for the now-defunct OpIsrael operations. The new OpsBedil operations were conducted by DragonForce Malaysia and its affiliates throughout Southeast Asia, specifically Malaysia and Indonesia.
The current operation, OpsBedilReloaded, is considered a political response to events that occurred in Israel on April 11, 2022. During OpsBedilReloaded, hacktivists executed website defacements, sensitive data leaks and denial-of-service attacks. Based on previous OpsBedil TTPs, attack campaigns can be expected to run through April, May and potentially into the June/July timeframe.
Hacktivist campaigns like OpsBedil, while nowhere close to as notorious as OpIsrael once was, present a renewed level of risk for the region. Unlike Anonymous, DragonForce Malaysia and its affiliates have the time, the resources and the motivation to execute these attacks and present a moderate-level threat to Israel.