The cybersecurity threat landscape in the first quarter of 2022 represented a mixed bag of old and new enemies. New actors dominated the DDoS threat landscape, while application security faced proven attack vectors.
These attacks were largely driven by a threat landscape fueled by geopolitical instability, hacktivists, national threat actors, and a focus on exploiting newly discovered vulnerabilities.
A detailed analysis of real-world network and application attacks as of the first quarter of 2022 revealed some surprising results.
Trends in DDoS attacks
In DDoS, micro-floods increased by 125% in Q1 2022 compared to Q4 2021. Micro-floods are low throughput attack vectors with throughputs less than 1 Gbps but greater than 10 Mbps.
They often fly under the radar and cannot be detected using traditional algorithms or techniques that detect higher throughput attack vectors based on thresholds alone.
By combining many micro floods or adding micro torrents to a mix of medium and large attack vectors, attackers can significantly increase the complexity of their attack campaigns. Attackers can make mitigation more difficult by forcing mitigators to adjust their policies constantly.
In addition, the number of malicious events blocked (per customer) increased by almost 75% compared to the first quarter of 2021. However, total secured volumes (in TBs) dropped dramatically.
The education and telecommunications sectors were hardest hit by DDoS attacks, accounting for 67% of the DDoS attack volume in the first three months of 2022, while America accounted for more than half of the DDoS attack volume during the same period.
Trends in Application Attacks
As for the attack activity of applications, malicious bots increased dramatically. Bad bot transactions increased by 126% in the first quarter of 2022 compared to the first quarter of 2021.
Cross-referencing application attack data against the OWASP Top 10 Application Security Violations shows that Broken Access Control (A01 in OWASP 2021) accounted for more than half of all blocked security violations in the first quarter of 2022.
High-tech (31%) and retail (27%) experienced the most application attacks in Q1 2022. Telecommunications/carriers finished in third place with 21%.
Finally, predictable source location, code injections, and SQL injections were fan favorites of threat actors and represented the top three application violations in the first quarter of 2022, respectively.
DDoS and Application Threat Landscape Analysis
The first quarter of 2022 was marked by geopolitical, hacktivist denial-of-service, and vulnerability-focused nation-state cyber activities.
After the invasion of Ukraine and the escalation of hybrid warfare, my company followed an increase in denial-of-service attacks targeting the Russian and Ukrainian governments and related financial institutions. The rise in denial-of-service activity was primarily driven by patriotic hacktivism from pro-Ukrainian and pro-Russian activists.
Ukraine’s IT military brought hacking to the masses, including teenagers, through the gamification of denial-of-service attacks. This included the playforukraine[.]info website, where in-game achievements are Russian websites you helped disrupt while playing.
WordPress websites were breached and injected with malicious code to perform denial-of-service attacks against Ukrainian targets when the webpage was loaded. Every visitor to the hacked WordPress sites became an application-level bot performing denial-of-service attacks targeting a list of websites compiled by malicious code authors.
In protest against the invasion of Ukraine, the administrator of a popular Node.js module called ‘node-ipc’ deliberately sabotaged his module. Many neural network and machine learning tools use the module, which provides local and remote inter-process communication (IPC).
The developer modified its code to intentionally corrupt files on systems with applications relying on the node-IPC module, but only if the plans were in Russia or Belarus.
The decentralized financial sector (DeFi) became a prime target for attacks. Crypto exchanges faced denial-of-service attacks following their ban on Russian citizens. Crypto exchanges have also been the target of financially motivated attacks by North Korean state-sponsored threat actors.
A new vulnerability has been discovered in the Java Spring framework, a popular framework for building online applications. After its public disclosure in late March, a Chinese researcher published a proof-of-concept on Github, Spring4shell was quickly exploited, and companies had to patch applications using the Java Spring framework quickly.
OpIsrael, an annual operation targeting Israeli businesses and civilians, almost didn’t exist this year due to Anonymous’ focus on the Russian/Ukrainian conflict.
OpsBedil, a 2021 hacktivist operation targeting Middle Eastern organizations, returned this year. OpsBedil is considered to be the replacement for the now-defunct OpIsrael operations. OpsBedil’s new operations were conducted by DragonForce Malaysia and its subsidiaries throughout Southeast Asia, especially Malaysia, and Indonesia.
The current operation, OpsBedilReloaded, is considered a political response to the events in Israel on April 11, 2022. During OpsBedilReloaded, hacktivists defaced websites, sensitive data breaches, and denial-of-service attacks. Based on previous OpsBedil TTPs, attack campaigns are expected to last through April, May, and possibly June/July.
Hacktivist campaigns like OpsBedil, while not nearly as infamous as OpIsrael once was, pose a renewed level of risk to the region. Unlike Anonymous, DragonForce Malaysia and its subsidiaries have the time, resources, and motivation to carry out these attacks and pose a moderate threat to Israel.