TTI | Network Security Insights

The Relentless Rise of Advanced Cyberattacks

Written by Craig Badrick | Aug 12, 2022 8:24:18 PM

Two recently discovered cyberattacks serve as a jarring reminder that these attacks are becoming increasingly frequent and advanced, making proper cybersecurity more essential than ever.

Nowadays it seems almost impossible to turn on the news without seeing a headline about the latest cyberattack. There’s no doubt that the past few years have seen more than their fair share of major stories surrounding cybersecurity. From the SolarWinds hack that put thousands of customers — including U.S. government agencies — at risk, to the attack on a water treatment plant in Florida that nearly caused thousands of people to be poisoned through their drinking water, to the attack on Schreiber Foods that caused a national cream cheese shortage, bad actors have been getting ever more aggressive.

With these attacks becoming so ubiquitous, many no longer make headlines beyond the tech world, simply slipping under the radar and making it easier for both corporations and individuals to let down their guard when it comes to cybersecurity. This is particularly concerning given that cyberattacks are becoming increasingly advanced. In the past couple of months alone there were two record-breaking, advanced attacks that have largely gone unnoticed. Read on to find out more about these incidents and to find out how you can secure yourself against future attacks.

 

A Record-Breaking DDoS Attack

DDoS attacks occur when bad actors use devices from several remote locations to flood an organization’s devices and resources with traffic. This can slow devices, services, and networks, potentially preventing users from accessing them altogether. To achieve a DDoS attack, hackers often use a botnet to send requests to the target organization’s IP address. These groups of malware-infected, remotely controlled, Internet-connected devices can quickly overwhelm a server or network, essentially causing a traffic jam.

Unfortunately, DDoS attacks are on the rise — and they’re becoming increasingly advanced. In Q1 of 2021 alone, there were 2.9 million DDoS attacks, marking a 31% increase compared to Q1 of 2020. More recently, Cloudflare mitigated a record-breaking 26 million request-per-second (RPS) DDoS attack. For comparison, the largest DDoS attack on a Cloudflare customer before this attack peaked at 17.2 million RPS.

While DDoS attacks traditionally come through low-bandwidth Internet of Things (IoT) devices, this attack was more advanced and went through a cloud service provider, meaning the hacker used compromised virtual machines and servers to orchestrate the attack. Though the botnet only had 5,067 devices, it was 4,000 times stronger than the average DDoS attack due to the high bandwidth of virtual machines and servers compared to other devices. At its peak, each node generated around 5,200 RPS, enabling the botnet to send over 212 million HTTPS requests in less than 30 seconds to quickly disrupt and deny service.

The ease with which the bad actors were able to orchestrate such an extensive attack without detection should be serious cause for concern for any organization.

 

Sophisticated Malware Attacks Routers While Avoiding Detection

DDoS attacks are far from the only danger you need to worry about when it comes to cybersecurity. Another major area of concern is malware.

Consisting of malicious software that can damage an organization’s computers, servers, network, or infrastructure without detection, malware attacks tend to have greater name recognition within the general population than do DDoS attacks, but that doesn’t make them any easier to prevent if you aren’t adequately prepared. This is particularly concerning given that hackers often rely on malware attacks to access credentials and accounts, stealing everything from personal information to business data from their targets.

While malware attacks aren’t anything new, they have evolved over time, becoming increasingly sophisticated and difficult to detect. The pandemic and the resulting sudden shift to remote work only made hackers’ jobs easier since many organizations switched to work from home setups without taking steps to secure remote devices and networks. To make matters worse, most companies don’t bother to patch, monitor, or update their in-office devices — much less their employees’ home routers — leaving the door open for attackers to easily infect routers and gain access to corporate devices and information.

We saw this exact scenario play out with the recently discovered ZuoRAT malware, a custom-built, multi-stage, remote access Trojan virus that targeted small office and home office (SOHO) routers in North America and Europe for almost two years beginning in October 2020. Written for the MIPS architecture, this malware enabled a most-likely state-sponsored hacking group to exploit SOHO routers’ vulnerabilities.

After installing ZuoRAT on SOHO routers, the malware would enumerate any devices or local area networks (LANs) connected to the router. The hacker could then install other malware on those connected devices using DNS hijacking (which involves replacing valid IP addresses with attacker-operated IP addresses) and HTTP hijacking (a method where malware generates a 302 error and redirects users to an unsafe IP address). The hackers often infected connected devices with CBeacon and GoBeacon, but they could also install Cobalt Strike, a popular tool used by hackers to compromise networks and create persistent communication channels.

When looking at this attack, one key question remains: How did this dangerous malware — and the infrastructures that controlled the infected routers and connected devices — avoid detection for nearly two years?

The answer is complexity. The hackers had an intentionally complex operation that involved exploiting routers from a dedicated private virtual server with benign content and leveraging compromised routers as proxy command and control infrastructures, enabling them to hide in plain sight. They also regularly rotated these proxy routers to further avoid detection. For example, Lumen Technologies’ Black Lotus Labs researchers observed 23 routers and discovered that some interacted with a Taiwan-based proxy server before rotating to a Canada-based proxy server. All of this complexity made it easier for the attack to continue unnoticed for nearly two years.

 

Take Your Cybersecurity to The Next Level with a Trustworthy Partner

As technology becomes more sophisticated and secure, so do the cybercriminals looking to exploit it. Whether they’re using aggressive DDoS and malware or leveraging one of the many other attack vectors that remain popular, bad actors are constantly leveling up their attack strategies. The best way to avoid falling victim is to avoid being an easy target for exploitation. The problem is that many businesses either don’t have cybersecurity plans in place at all or they haven’t bothered to update them in recent years, making them a perfect target for a cyberattack.

If you want to prevent attacks, it’s critical that you secure all your networks and devices, whether they are on-premises or remote. At Turn-key Technologies, Inc. (TTI), we can help you do just that. When you partner with us, we’ll use our decades of experience to ensure you aren’t a sitting duck. We’ll work with you to buff up your cybersecurity — whether that means investing in firewalls and threat intelligence solutions, encrypting data, or even implementing educational solutions to prevent social engineering attacks — so you can stay safe.

Contact us today to learn more about how TTI can help you protect your organization from cybercriminals and advanced cyberattacks!