Cyber Attacks - 3 Current Threats and Countermeasures

The Colonial Pipeline cyberattack in May 2021 thrust ransomware back into the public spotlight. However, ransomware isn't the only digital danger to individuals, businesses, and organizations, with DDoS attacks and data theft a serious and daily problem for many.

To help stave off these threats, a good place to start is by understanding what it is that you're up against. In this article, we'll fill you in about the most common types of cyberattacks and countermeasures.

DDoS attacks seek to paralyze networks or servers by overwhelming them with requests. These take advantage of the client-server model, upon which most Internet applications operate. Whenever you type the URL of a particular website into your browser (for example, www.nytimes.com) your computer, laptop, or device (the client), sends a request to that URL's server.

Web servers can answer several thousand requests per second, however, they aren't without limits, either in terms of bandwidth, or the hardware itself. The more requests that are submitted, the longer the response time, similar to telephone (landline) switchboards or networks of the past. In the worst case, traffic simply collapses and users receive an error message (503 - Service Unavailable) when attempting to visit the site in question.

Cybercriminals launching DDoS attacks use multiple computers or Internet of Things (IoT) devices to send large numbers of requests at the same time. These computers form a so-called botnet. Most of the time, these devices are infected with viruses or malware and spread across the globe, with their owners having no idea that their computers are being used illictly.

Even though the end goal of all DDoS attacks is denial of service, they go about achieving this in different ways and by exploiting various parts of a network connection. So-called multi-vector attacks enter through several of these entry points at the same time.

1. 1.
   Volume-based attacks target available bandwidth and include user datagram protocol (UDP) floods. During these, bots overwhelm UDP ports with data packets, causing the server to crash. Along with transmission control protocol (TCP), UDP is one of the most-used transport level protocols. The transport level is the fourth of the OSI model, detailing network protocol architecture. DNS floods function similarly, bombarding the DNS server with requests. These are servers that translate URLs into IP addresses (such as www.airbnb.com into 3.232.178.39).
2. 2.
   Application attacks, true to their name, are launched on the application level, or the highest in the OSI model, responsible for regulating how integrations interact with users. So-called Slowloris attacks send incomplete requests, rapidly increasing the number of open connections and preventing the server from responding to legitimate queries. Apache web servers are a particularly popular target for such attacks.
3. 3.
   Protocol attacks take advantage of Internet protocol weaknesses. As an example, SYN flood attacks spoof the 3-way-handshake of a TCP protocol. This handshake determines how a connection is established between two devices. With TCP protocols, a SYN message is sent to the server, which answers with ACK, followed by SYN-ACK confirmation from the client. However, should the SYN message contain an incorrect IP address, the server will continue to wait for an answer. After too many such requests, the server will cease to function.

Should a website take longer than usual to load, you shouldn't automatically assume that it is experiencing a DDoS attack, since peaks in usage can also produce a similar effect. With that said, there are some sure symptoms of a DDoS attack:

• Too many requests are received from the same IP address or location;
• Unpredictable traffic spikes;
• A ping request, which tests a host's availability within a network, returns a "Timeout" error message for the server in question;
• When attempting to access the website, a 503 error message appears.

It isn't possible to completely prevent DDoS attacks since the infected devices that launch them are unable to be controlled. As such, countermeasures for DDoS attacks entail ensuring network resilience.

1. 1.
   To counter volume attacks, routers using the anycast methodology will distribute queries to different servers. Most of the time, these are cloud security services that filter out malicious queries, forwarding only legitimate ones. Good providers have powerful networks with traffic of 60 terabytes per second (Tbps), far exceeding the capabilities of botnets.
2. 2.
   For protocol attacks, service providers offer a number of different programs that analyze user behavior, thwarting bots with captchas. These require the input of letter and number combinations unreadable by computers, or the selection of all pictures containing a particular item or object.
3. 3.
   Web application firewalls (WAF) forge something of a shield between clients and servers, helping to stave off application attacks. These operate like a doorman, preventing those who seem suspicious from entering.
4. 4.
   With rate limiting, servers will only allow a specific number of requests per time period. Should a low SYN, UDP, or Drop limit be set, the server will reject all packets which exceed it.

According to Netscout's most recent Global Threat Intelligence Report, in 2020, more than 10 million DDoS attacks were launched, the most in history. Some of the more infamous DDoS attacks of all time include:

• In September 2017 Chinese bots sent millions of data packets to various Google servers. The UDP flood attack clocked traffic of 2.5 Tbps, making it the largest DDoS attack ever measured. Despite its size, it has not had any consequences.
• In February 2020, Amazon Web Services (AWS) reported a three-day 2.3 Tbps DDoS attack. This multi-vector attack exploited a weakness in the connectionless lightweight directory access protocol (CLDAP), the industrial standard for accessing indices. AWS customers were not impacted.
• In October 2016, Mirai, a notorious botnet, attacked servers belonging to the DNS provider, Dyn. Since Dyn connects URLs to the appropriate IP address, platforms such as Twitter, GitHub, Reddit, and Netflix were rendered temporarily unavailable. In the aftermath of the attack, Mirai made public the code that was exploited for the attack.

When using ransomware, cybercriminals hack IT systems, encrypting the data stored on drives. In order to unlock these, the extortionists demand a ransom. Similar to DDoS attacks, ransomware also frequently targets utility networks or healthcare systems.

Ransomware can find its way onto computers or systems through phishing emails, attachments infected with trojans, or IT networks possessing inadequate security. Victims include individuals as well as businesses and even government officials.

As is the case with DDoS attacks, those who engage in ransomware are often hackers from countries like China, Iran, Russia, or North Korea, which makes it difficult or impossible to prosecute them. Since victims often need to pay in cryptocurrencies, like Bitcoin, tracing the recipient is difficult.

In addition to the well-known CryptoLocker variant, screenlockers are also common. For the latter, victims, need to pay a ransom in order to regain access to their screen or monitor. In most cases, cyber extortionists also threaten to release sensitive data if they aren't paid.

Typically, ransomware makes its presence on your system felt rather quickly, displaying a message stating that you have been attacked, and providing information about how to proceed. Other symptoms of a ransomware attack include:

• The inability to access certain files that were accessible in the past;
• Files that suddenly appear without an extension, or have the .crypto extension;
• Text files (ending in .txt) with suspicious names like "_Decrypt your files" or "_Open me".

WARNING! The US Government and all of its cybersecurity branches strongly discourage paying cyber ransoms. This is because there is no guarantee that you will receive the password, and also that by doing so, you provide extortionists with an incentive to continue their illicit activities. The FBI, for example, recommends immediately contacting their local field office if you believe yourself to be the victim of a ransomware attack.

Should you already practice safe behavior with regards to IT security, you're well protected against ransomware attacks. Some aspects to keep in mind include:

• Regularly backing up sensitive data. Since ransomware targets backup folders, encrypting them and using offline storage, such as an external hard drive, that is only connected to perform backups are recommended.
• Keep software up to date, since older versions can have weaknesses or exploits.
• Uninstall unnecessary plugins and deactivate macros.
• Make it necessary for all scripts and active content to be confirmed by double-clicking.
• If possible, do not install your browser locally at work, but use a terminal server with a remote desktop connection.
• Rarely grant write access for network drives, and even then, only with strong passwords.
• Allow remote access only with secure VPN connections and two-factor authentication.
• Use firewalls with IP filtering as well as whitelisting services. The latter are lists that include reliable and allowed IP addresses, protecting the server.
• Offer workshops on cybersecurity. During these, employees can learn how to recognize suspicious and dangerous emails and websites.

According to the FBI, since 2016, more than 4,000 ransomware attacks have been recorded per day. Among the most infamous are:

• In March 2019, a ransomware attack paralyzed Norsk Hydro's IT systems, causing production to be run manually for weeks. The company did not pay the ransom and was able to retrieve the affected information thanks to backups.
• The largest meat producer in the world, JBS, paid a ransom of $11 million in May 2021 to regain access to its IT systems. The Russian hacker group REvil claimed responsibility for the attack.
• Also in May 2021, gas supply to the East Coast of the US was disrupted after Colonial Pipeline Company's IT systems were compromised by ransomware, using an unprotected VPN access point. The company paid the $4.4 million ransom, however, the FBI was able to recover most of the Bitcoins later.

Even though most people speak about data theft, in reality, cybercriminals copy digital information. Most of the time, they intend to use email accounts for illegal activity, gain access to funds or sensitive information, or tarnish someone's reputation. When it comes to identity theft, the purpose is often to engage in illegal activity using the victim's personal information.

Most data thieves identify their victims through phishing emails, inadequately secured networks, or infected websites. For companies, disgruntled or technologically illiterate employees are often responsible when sharing sensitive data without authorization.

Should criminals gain access to bank accounts, it won't take long for you to notice suspicious transactions. In other cases, hackers will release stolen information online, in order to negatively impact the victim. If the information isn't immediately actionable, it can take years for a victim to learn that their data was stolen, for example, when applying for a loan or credit card, or receiving official mail or court summons.

As is the case with the other two kinds of cyber attacks, criminals take advantage of weaknesses in IT systems. Below are some guidelines to help in protecting yourself and your data:

• Employ strong passwords consisting of numbers, upper and lowercase letters, as well as special characters. Change these at least every six months.
• Make sure that your firewalls and antivirus programs are up to date.
• Store data on external drives, such as USB sticks or hard drives, encrypting and protecting it with a strong password.
• Delete accounts for employees no longer with the company or organization. Only grant limited access to the organizational network to non-employees or customers.
• Offer employee training regarding phishing, malicious websites, and social engineering. The last of these is a method by which hackers harness social networks to target and probe their victims, encouraging them to provide sensitive information like passwords.

In contrast to DDoS and ransomware attacks, leaks of sensitive information pre-date the Internet. The main difference is the scale, with data theft in the 21st century impacting millions of people worldwide, per year. The most notorious cases of data theft over the past few years include:

• In March 2020, hackers gained access to the servers of CAM4, a video chat platform, making off with more than 10 billion files. These include real names as well as chat and payment logs, making it possible for victims to be blackmailed for years.
• In March 2018, cybercriminals hacked the IT systems of one of the world's largest biometric databanks. Aadhaar, managed by the Indian government, stores biometric data including fingerprints, photos, and iris scans for more than one billion Indian citizens.
• In November 2018, Marriott International announced that unauthorized individuals had accessed the credit card data for 500 million of its customers. The attack had occurred in 2014 but was only noticed in 2018.

DDoS attacks, ransomware, and data theft can all exert a significant impact on your digital security. Fortunately, with the help of powerful antivirus programs, firewalls, strong passwords (that can be easily and safely managed with a password manager), and regular updates to your software and drivers, it's possible to minimize the likelihood of falling prey to such an attack. IP filters and cloud services help specifically against DDoS attacks, preventing bots from being able to send requests to your site. 

Caution is in order when dealing with suspicious emails or websites since these often serve as the delivery vehicles for malware and trojans. Should you believe yourself to be the victim of a cyberattack, the best thing to do is to contact local or federal authorities.