Research: Imposing closures increases the amount of cyber attacks

The Corona plague has led to a significant increase in DDoS and Account Takeover attacks (denial of service and account takeover), according to a new analysis by F5 Labs. The study, based on new global data from the F5 Security Incident Response Team, reveals an intense and vulnerable threat landscape following the closure.

“F5 Labs has reviewed all reported incidents from early 2020 to August. Attackers are clearly doing everything in their power to take advantage of online epidemic-related behavior,” said Raymond Pompon, director of F5 Labs. “Expect more storms later. The holiday shopping season, for example, will take place more than ever online and will be under heavy fire from cybercriminals. One thing is clear: the increasing use and dependence on technology has also led to a further increase in attacks that were on the rise.”

The closure opens up new threats

In January, the number of all reported incidents in SIRT was half the average reported in previous years. With the closure from March onwards, the number of incidents has risen sharply. The numbers have tripled compared to previous years in April, and began to drop to normal values ​​only in May and June. In July they rose back up to twice the level seen at that time in 2019.

Dvir Peretz, a solutions engineer at F5, said: “In Israel, too, we are seeing a significant increase in DDoS and account takeover attacks. Many organizations do implement protection against DDoS attacks in the network layer but not always in the applicative layer, which becomes a significant weakness for them during. Recently, we have helped many organizations get out of applicative denial-of-service attacks through the Behavioral DDoS mechanism that enables the detection of applicative denial-of-service attacks based on identifying behavior patterns. “

Attacks can be divided into two types: Denial of Service (DDoS) Attacks and Account Takeover Attacks. The attacks on the accounts included brute force and credential stuffing attacks. In both cases the attackers try to make their way to the user account. From January to August 45% of the incidents reported in SIRT were attributed to DDoS and 43% were password attacks. The remaining 12% were reports of malicious damage, network attacks or unclassified attacks.

DDoS attacks reach new and changing heights

In January, DDoS attacks were responsible for only about one-tenth of reported incidents. In March they increased up to three times the total number of events. In 2019, 4.2% of DDoS attacks reported to F5 SIRT were identified as targeted in Web applications. This rate increased sixfold in 2020 and reached 26%. Meanwhile, the types of attacks are becoming more diverse. In 2019, 17% of all DDoS attacks reported to SIRT were identified as increased DNS attacks, falsifying DNS requests in order to encrypt back to the victim. This rate has almost doubled and reached 31% this year.

DNS Query Flood attacks are also on the rise. During these attacks the attacker sends maliciously crafted malicious requests with the intention of causing the DNS server to run out of resources. 12% of DDoS attacks during the period studied by F5 laboratories used this method.

Retailers bear the burden of password attacks

67% of all attacks reported by SIRT about retailers in 2020 were password attacks, an increase of 27% over last year. At that time, half of all incidents experienced by service providers were attributed to password attacks. 43% of these events were recorded for financial services clients. F5 Labs also noticed an increase in the rate of identification attacks on APIs, which doubled from 2.6% in 2019 to 5% so far in 2020 compared to the same period last year.