2017 in Review: Pulse Wave DDoS Attacks, Spam Botnets, Bitcoin and Industry Reports

2017 in Review: Pulse Wave DDoS Attacks, Spam Botnets, Bitcoin and Industry Reports

A lot has happened in the last 12 months so we’ve put together a roundup of topics that made the news in our blog.

An Emerging Pulse Wave DDoS Attack Trend

Imperva tracks DDoS activity closely throughout the year. And our quarterly Threat Landscape Reports in the first half of the year (first quarter and second quarter) give us valuable information about how these attacks continue to evolve.

Early in the year, we reported how distributed denial of service attacks were growing shorter, more complex and persistent. This is a result of botnet-for-hire services that let users with little or no tech background to launch short, low-volume attacks. This is significant because it allows non-professional offenders to leverage DDoS to disrupt businesses and individuals.

Overall, 80 percent of all DDoS attacks lasted less than one hour and, for the first time, we saw 90 percent of network layer attacks lasting less than 30 minutes, compared to 78.2 percent in Q4 2016.

Nearly 74 percent of targets suffer repeat assaults, with 19 percent being attacked 10 times or more and 35 percent being hit six or more times. This trend is a substantial increase from the year before.

By the end of the second quarter of 2017, we witnessed a decrease in the number of network layer assaults. We also saw some relief in application layer attacks, which had increased earlier in the year. However the number of repeat attacks went up.

And finally in August we saw the emergence of a new attack tactic, which we’ve named “Pulse Wave DDoS” because of the pattern it generates – a rapid succession of attack bursts that distribute a botnet’s attack output. This allows a single offensive strike to go after multiple targets.

DDoS Events: Mirai Attack and a Spam Botnet

Major security breaches on Equifax and Uber made headlines this year, but they only represent a portion of the total of security breaches. Here are a few we covered in the past months.

In February, a new Mirai botnet variant attack was directed at one of our clients, a U.S. college (full details here). It ran for 54 straight hours and flooded the school’s website with over 2.8 billion requests.

Mirai (which means “the future” in Japanese) was first discovered in 2016 and quickly became one of the most virulent DDoS malware programs known. Ever since its source code went public last year, we’ve seen Mirai continue to expand and develop.

In March, we got a behind-the-scenes look at a major spam campaign falsely representing the pharmaceutical industry (more details here). Spam represents an estimated $431 billon market. Its scale – especially in the counterfeit drug trade – continues to grow.

The spam botnet we intercepted was built to circumvent security countermeasures and consisted of 80,000 compromised devices. After decoding the script, we discovered the attack was built specifically to bypass spam filters – the type that identified unwanted messages based on sender identity and links to known malicious domains. The exploit worked because it paired two compromised domains working together to generate spam and reroute visitors.

Magento, Ronggolawe and Apache Struts Exploits

In late 2016 and into early 2017, vulnerabilities in Magento, a popular e-commerce platform, were detected during a routine security audit (further details here). These vulnerable entry points could have potentially led to remote code execution and exposed the system and its database of sensitive customer information.

Ransomware isn’t new. It’s been targeting desktop and laptop computers for years and then mobile phones and servers. Recently we encountered Ronggolawe, a new web server ransomware (see details here).

In August, Ronggolawe was uploaded to GitHub. Once the attacker got the malicious code on the server it had the opportunity to be used to either encrypt or decrypt the files in the server.

GitHub deployed a web application firewall and successfully blocked malicious file uploads and remote code execution attacks.

In May, while performing a simulated cyberattack on the GitLab system (more details here), we discovered a vulnerability in the network that left users exposed to session hijacking attacks.

Session hijacking involves the interception of session tokens that identify individual users logged into a website. An attacker can use a stolen token to access a user’s account and do irreparable damage.

GitLab immediately implemented two important measures. It replaced private tokens with RSS tokens for fetching RSS feed. This helped avoid exposed session IDs. And it also expanded personal access tokens that offered role-based access controls. These provided the same functionality as private tokens but with better security. In addition, GitLab started gradually phasing out private tokens altogether.

In July Apache Struts became vulnerable to a remote code execution attack (details here). Based on notes given to us by the client, it was possible to perform an RCE attack with a malicious field value when using a Struts 1 plugin. This plugin included a Showcase app that enabled the vulnerability.

And finally, in October we noticed several of our customers being bombarded with “send-to-a-friend” spam attacks (more information here). These form-filler bots attach themselves to the social sharing module found on commercial websites.

Our security team noticed the high rate of traffic and the considerable number of targets and investigated. We eventually confirmed that the assault was carried out via a botnet that let attackers spread their unwanted messaging via the popular social sharing app.

The spam included snippets of text from various Star Wars novels. Were the spammers fans of the long-running sci-fi franchise? We’ll never know. Most likely, they were riding the wave of the franchise’s popularity to add uniqueness to their emails to trick filtering mechanisms. We successfully shut down the spam scam and did our part in defeating the dark side of the Force.

Bitcoin and Attacks Frontline Our Latest Global DDoS Threat Landscape Report

Our latest report showed that these trends are on the rise with some likely to continue into 2018:

Bitcoin and related crypto currencies, one of the most targeted industries has dominated the news recently. In the third quarter, we saw that 3.6 percent of total network layer DDoS attacks targeted bitcoin exchanges and related sites on our service. As bitcoin price spikes, we see how threat actors have the relatively small and young industry in their sights making it into the top-10 attacked industry list.

High packet rate network layer attacks grow more common. These assaults where the packet-forwarding rate is 50+ Mpps continue to grow, accounting for five percent of the total number of network layer attacks.

Network layer attacks are extremely persistent. In Q3 2017, half of network layer targets were attacked at least twice, while nearly a third were hit more than 10 times.

A Leader Among DDoS Mitigation Providers

And to wrap up an eventful year, Gartner published its 2017 Magic Quadrant for Web Application Firewalls (WAF) and named Imperva a WAF leader again for the fourth consecutive year.  Most recently the Forrester Wave ranked Imperva as a leader for the DDoS mitigation current offering and strategy categories. We couldn’t be more thrilled!