On Monday, January 30, “KillNet” – a pro-Russia group known for distributed denial of service (DDoS) attacks in nations opposed to Russia’s invasion of Ukraine – attacked at least 14 websites of prominent hospital systems in the United States, knocking their public-facing websites offline temporarily. Impacted organizations have noted only short-term disruptions to their websites and no impacts to the targets’ operations. DDoS attacks can be caused when an organization’s websites are flooded with incoming network traffic, thereby overwhelming the system.
In the last year, KillNet has launched coordinated DDoS campaigns against prominent Pro-Ukraine targets, including the websites of the German government, banks and financial systems, airports, and U.S. defense contractors. KillNet triggers the attacks by directing high volumes of internet traffic toward targeted servers with the goal of taking them offline. By targeting U.S. Hospitals and hospital systems across the United States, KillNet has demonstrated its intention to sow fear to a broader audience with this widespread attack.
The KillNet group is known for causing disruption to the victim organizations but not necessarily known for extortion or ransom activities; this however could change given the ever-shifting threat actor landscape.
Most DDOS attacks try to overload system resources to impact availability. Many attackers assume organizations do not have adequate resiliency. Here are some immediate ways to help mitigate a DDOS attack:
1. Know your traffic patterns: Once you have a solid understanding of your baseline, you will be able to detect abnormal activity. Specifically, look for unusual geolocations and bad or unusual IPs. By monitoring your traffic patterns, you will be able to identify the symptoms of an attack.
2. Implement rate limiting: Only accept as much traffic as your host can handle.
3. Scale up your bandwidth: Scaling up the bandwidth does not PREVENT a DDoS attack. That said, it can help your organization weather one while limiting the impacts and disruption to your business.
4. Use your load balancer: By monitoring and shifting loads between resources, you can mitigate overloading.
5. Implement block by location: By blocking traffic based on geolocations, you can eliminate requests from countries with which you don’t do business.
Longer term, implementing the following can mitigate DDOS attacks:
• Multi-Level prevention and protecting of your network: These systems can use anti-spam, content filtering, VPN, firewalls, load balancing, and security layers to spot and block attacks before they overwhelm your networks
• Web Application Firewall (WAF): WAF can add another layer of security – commonly referred to as defense in depth – making it more challenging to gain unauthorized access to an application or exploit a vulnerability in an application.
If you are having trouble identifying your network’s normal traffic patterns, Fortalice can study your traffic patterns with you and help you identify areas to block.
Review your incident response plans (IRPs) and ensure everyone on your IRP team has a paper copy of the playbook. Need help refreshing your IRP? Fortalice’s risk and compliance experts are ready to review your existing policies and procedures. We’ll advise you on necessary improvements to meet industry best practices, as well as steer you toward additional protections.
Identify weaknesses in your security environment. Through the perspective of an attacker, our Offensive Cyber Operations team will mimic sophisticated cyber threats to test systems and produce action steps so your organization can stay ahead of the bad guys.
Monitor the open, deep and dark web for imminent threats to your organization and executives. When faced with increasingly sophisticated attackers, monitoring solutions that provide alerting on this topic are necessary but not sufficient. The Fortalice approach involves automated alerting and monitoring that is human curated by our team of experts who bring years of law enforcement and intelligence experience to the table as your digital bodyguards. Fortalice can assess your organization and executive’s digital footprints, recommend strategies for addressing vulnerabilities in that footprint, and provide ongoing monitoring to keep your digital footprint strong.
If you need additional assistance, the Fortalice team stands ready to assist you in assessing your current risk and road mapping your organization’s future cybersecurity posture. You can reach the Fortalice team at email@example.com.
Increasingly, cyber actors are employing LOTL attack, which blend (and obscure) their nefarious activities with legitimate tools and infrastructure already found (and regularly used) in your environment to mask their presence while greatly minimizing their chances of detection and attribution. Typically, the introduction of a third-part application generates an alert to the host from an endpoint detection and response (EXR) product. Unfortunately, LOTL enables the actor to skirt detection more easily and effectively.
On June 1, Progress Software (Progress) announced it had identified a vulnerability in its MOVEit File Transfer Tool. The vulnerability allowed cybercriminals to exploit a critical SQL injection that could lead to escalated privileges and potential unauthorized access to the environment.