Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/16/2021
01:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Under Attack: Hosting & Internet Service Providers

The digital universe depends on always-on IT networks and services, so ISPs and hosting providers have become favorite targets for cyberattacks.

In less than a decade, cybersecurity has become a critical systemic issue for the world economy. More than ever, modern life and international commerce depend upon a functioning and accessible Internet. According to Cisco, 66% of the global population will have access to it within two years, by which time there will be 5.3 billion total Internet users. Further, more than 70% of the global population will have mobile connectivity, and the number of devices connected to IP networks will be three times greater than the total number of people on Earth.

In this context, cyber incidents and attacks are flourishing, but they're nothing compared to what will happen as the majority of the world joins the digital mainstream. And since ISPs and hosting providers are at the leading edge of the digital tidal wave, it's no surprise that they've become prime targets for cybercriminals.

Related Content:

Zero Trust in the Real World

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Fighting Fileless Malware, Part 2: Countermeasures

Attacks Are More Costly to Combat
For organizations, building cyber resilience is growing more complex and costly. Accenture's "9th Annual Costs of Cybercrime Study" reports that malware, Web-based attacks, and distributed denial-of-service (DDoS) attacks are the most expensive attack types and are "the main contributing factors to revenue loss." But some sectors are victimized more often than others. For ISPs or hosting providers — and e-commerce, online gaming, and gambling — uptime is paramount, and every minute of downtime equals money lost. In 2020, a quarter of enterprise respondents reported the average hourly cost of server downtime ran between $301,000 and $400,000, as highlighted on Statista.

Botnets on the Warpath
The root cause of these financial setbacks are cybercriminals who use every means at their disposal — or "carpet bombing" — to exploit network vulnerabilities to cause havoc, extort money, or both. Carpet bombing is an example of an attack type that is becoming ubiquitous due to the easy availability of cheap DDoS services on the Dark Web. Almost anyone can pay for a botnet to seriously disrupt the company or government agency of their choice. The rapidly expanding Internet of Things (IoT) might also explain the rise in carpet bombing, since most devices are poorly protected against hostile takeovers and easily converted into bots.

ISPs and hosting providers are like red flags to carpet bombers. Some lack basic DDoS mitigation tools, while others use outdated ones. The results are predictable. In November 2018, customers of the Cambodian ISPs EZECOM, SINET, Telcotech, and Digi suffered a week of intermittent connections caused by a 150 Gbit/s DDoS attack. A few months later, a series of carpet-bombing DDoS attacks crippled a South African ISP for an entire day.

Extortion on the Rise
Since mid-2020, a new type of extortion campaign has moved into the spotlight. Cybercriminals claiming to be part of the nation-state-backed groups Fancy Bear, Lazarus Group, and the Armada Collective delivered ransom demands in emails that threatened the recipients with DDoS attacks of up to 2 Tbit/s unless they made a 20-Bitcoin payment within a week. Many organizations ignored the emailed threats without consequence. Others — including some well-known ones — suffered substantial operational setbacks as a result of subsequent attacks, as reported by the FBI.

The FBI attributed previous extortion campaigns in 2017 and 2019 to the same cybercrime groups, which at that time targeted financial institutions, retailers, and e-commerce firms.

Attacks Growing Exponentially
But carpet bombing isn't the only cyber threat out there. There are scores of others, and they're increasing in number and frequency so quickly that it's becoming increasingly difficult to beat them off using traditional tools or on-site appliances. One reason for this is that current attacks can be more than 100 times larger than a company's available pipe or backbone. As a result, the entire system collapses and all traffic (including legitimate IP traffic) is blackholed for hours or days. According to the US Department of Homeland Security, the scale of attacks has increased tenfold in recent years, and "it is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale."

In October 2019, Amazon Web Services (AWS) was hit by a major DDoS attack roughly eight hours long that prevented users from connecting. The attack caused AWS to miscategorize legitimate customer queries as malicious. Google Cloud Platform experienced problems at roughly the same time, but the company says the incident was unrelated to DDoS. In February 2020, AWS reported a 2.3 Tbit/s attack — in other words, a little under half of all the traffic that telecom BT sees on its entire UK network during a normal working day.

Conclusion
Hosting providers and ISPs are increasingly being exposed to cyber threats, but during the pandemic, as use of these services has skyrocketed, cyberattackers have broadened their reach to include targets in vertical markets such as e-commerce, online gaming and gambling, healthcare, and educational services (think homeschooling).

No DDoS mitigation solution is foolproof, so it makes sense for organizations to beef up their existing tools with as much timely and reliable threat intelligence as possible. By blocking bad actors from their networks, ISPs can avoid falling victim to carpet-bombing attacks that can cripple their operations. If they're attacked, they should never pay a ransom. Doing so only emboldens the bad guys and supports further criminal activity.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...