Lumen DDoS and Application Threat Research Finds Threat Actors Advancing their Attack Game

by Amy Larsen DeCarlo, posted in Secure
Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• In new research from telco operator Lumen, the provider posits that cybercriminals are taking advantage of the increase in connected home devices to use them to build out bot networks for DDoS and other application attacks.

• For the first time, banking was the most targeted sector for DDoS attacks, largely because a single day in September 2023 when Lumen helped one institution stave off 230 separate attacks.

In research Lumen released this week based on DDoS and application threat data captured on its mitigation platform, the operator observed interesting trends in the way hackers are applying more sophisticated, and in some cases, relentless tactics to flood targeted enterprise servers with malicious traffic and steal data. Threat actors are tapping connected consumer devices to launch denial of services incidents.

Lumen’s Black Lotus Labs research arm identified at least 70,000 hijacked SOHO routers and other devices that are part of the AVrecon botnet. AVrecon has been running for over two years without being discovered. AVrecon’s existence, with captured devices in 20 countries, has been validated by researchers outside of Lumen. Leveraging these devices, hackers were able to circumnavigate many threat detection mechanisms including geolocation-based and IP addressed-based rate limiting tools. Attackers used these devices to launch a range of nefarious activities including data exfiltration through Microsoft Outlook and online advertising fraud. These ‘sneak attacks’ are harder to detect than high-profile DDoS incidents that present in a more obvious way.

The Lumen research notes the actual number of DDoS attacks against its customers in Q3 2023 dropped 23% from the prior quarter, noting “seasonality” as the cause of the decline. Lumen still blocked 4,217 incidents, an average of 51 per day for the quarter. While Lumen deflected a number of high-bandwidth attacks in H1 2023, the provider saw a 32% decrease in the largest attacks. However, Lumen saw an increase average bandwidth size of 54%. The biggest of these were launched against telcos with the majority coming around the July 4th US holiday weekend time.

The nature of DDoS attacks is also always evolving. Lumen reported that while the majority of attacks (65%) in Q3 2023 were single vector attacks and there was a 21% decline in multi-vector, the latter was still very common in the banking industry.

In the September 21, 2023 DDoS onslaught in which Lumen mitigated 260 separate attacks, threat actors employed an unprecedented four vector campaign. These included DNS amplification, IP fragmentation, invalid packets, and static filtering.

Leave a Reply