App Tiers Affected:
The F5 Security Incident Response Team (F5 SIRT) helps customers tackle security incidents in real time. We reviewed all the reported incidents from January through August 2020 to see how the pandemic changed the cyberthreat landscape. To protect customer confidentiality, we do not mention specific organizations. We also do not divulge numbers, but instead compare increase levels in incident reports.
Rise in Attacks during the Pandemic Lockdown
The first striking thing we saw in our review was the unprecedented rise of reported incidents at the beginning of the pandemic lockdown period in March 2020. The year started out slow, with the number of reported incidents in January of 2020 at half the average reported in previous years. However, as the pandemic shelter-in-place took effect in March of 2020, reported incidents rose sharply. They plateaued with a threefold spike over previous years in April and only began to return to normal in May and June. However, in July, they started to creep back up to twice the 2019 level. Figure 1 shows reported attacks for the January through August time period for the past three years.
What Were These F5 SIRT-Reported Incidents?
The phrase reported security incidents refers to an aggregate measure of several kinds of attacks in which customers sought help from the F5 SIRT. Primarily, these attacks fell into two large buckets: distributed denial-of-service (DDoS) and password login attacks. Password login attacks were comprised of brute force and credential stuffing attacks. Both of these involve attackers trying to guess their way past a password login.
Over the period of January through August, 45% of reported security incidents were DDoS and 43% were password login attacks. The remaining 12% of reported security incidents were for things like malware infections, web attacks, or attacks that were unclassified.
As seen in Figure 2, DDoS attacks dominated the pandemic lockdown incidents. Reports of DDoS attacks started off as just a tenth of reported incidents in January, but then grew to three times that of all incidents in March. DDoS has remained significant on an ongoing basis.
The first D in DDoS means distributed and refers to the fact that DDoS attacks are sourced around the world from large botnets of compromised machines. In previous years, we saw a “spring slump” in DDoS attacks, but this year we witnessed a big rise from April onward, with only a slight dip in June. On average for the entire period annually, the magnitudes are similar, with 51% of reported incidents being DDoS in 2020 compared to 46% in 2019. However, the monthly timing of DDoS attacks waxed and waned differently during the lockdown, as shown in Figure 3.
During this period, a campaign of blackmail attempts claimed to be from the Russian advanced attacker Fancy Bear. Their attack opened with a small DDoS attack as a demonstration, followed by a payment demand for hundreds of thousands of dollars. Pay up or they will “make sure your services will remain offline until you pay.” What is curious is that Fancy Bear is a cyberespionage group that is not known for DDoS attacks or blackmail, but rather espionage and political disruption.1 It's highly unlikely that the real Fancy Bear is carrying out these recent campaigns.
Shift in DDoS Attack Types in 2020
Overall, most of the reported DDoS attacks are volumetric, targeting network bandwidth and saturating it with junk packets to clog up the connections for legitimate users. A common method for doing this is a DNS amplification attack, which spoofs DNS requests to flood back at a victim. In 2019, 17% of all DDoS attacks reported to the F5 SIRT were identified as DNS amplification attacks. However, in 2020, that number nearly doubled, to 31%.
Another DNS DDoS technique is a DNS query flood, where an attacker sends malicious DNS requests that are purposely malformed to cause a DNS server to exhaust its resources. During the 2020 period, 12% of the DDoS attacks were malicious DNS requests against customer DNS servers.
The first half of 2020 also saw a rise in DDoS attacks targeting websites and applications. In 2019, 4.2% of the DDoS attacks reported to the F5 SIRT were identified as targeting web apps. However, this increased sixfold in 2020 to 26%.
The F5 SIRT incident data also revealed geographic differences in attack type. The Asia/Pacific region had the highest percentage (83%) of incidents reported as DDoS attacks across the globe. Europe, the Middle East, and Africa (EMEA) saw the next highest, with 54% of reported incidents categorized as DDoS attacks.
Changes in Access Attacks on Password Logins
Credential stuffing and brute force are major threats on the Internet. With the pandemic causing a huge shift from in-store buying to electronic commerce, it seemed logical to expect increased levels of password attacks on retailers. Indeed, 67% of all F5 SIRT-reported attacks on retailers in 2020 were password attacks; in 2019, it was only 40%. Also in 2020, half of the incident reports from service providers were attributed to password login attacks. Financial services customers also reported 43% of incidents as password logins.
F5 Labs also keeps an eye on the specific kinds of technical services being hit by password login attacks. One growth area is authentication attacks on APIs, which the F5 SIRT reports show doubled from 2.6% in 2019 to 5% so far in 2020.
Expect more turbulence with the changes in the economy, the pandemic, and the holiday shopping season, more will likely be done more online this year. One thing is clear: our increased usage and dependence on technology has also brought increased levels in the already-growing attack trends.