How mass remote work has changed DDoS

It’s hard to imagine a time when Internet connectivity was such an important commodity in our everyday lives. In the pre-pandemic world we relied on it, but the act of national lockdowns, global travel restrictions and quarantine orders pushed us to lean ever more heavily on that connectivity. By Ashley Stephenson, CTO, for Corero Network Security.

While we are reaching the tentative end of the pandemic in many parts of the world - the things that were put in place over the year-and-change of tumult look like they might turn into longer term behaviours, practices and working standards.

Mass remote work is one of them. In early 2020 companies were forced to send legions of workers home, placing them outside the safety net of office security controls and into potentially insecure home environments.

Cybercriminals easily exploited these new vulnerabilities in these already strained organisations. Phishing attempts abounded, with hackers trying to exploit the general panic of the global pandemic, as well as the newfound separation between employer and employee. Between January and April 2020, Interpol reported 907,000 spam messages and 48,000 malicious URLs related to Covid-19. Ransomware gangs also saw their opportunity and attacks spiked in the first two weeks of April.

Given the strained state of enterprise networks, it wouldn't take too much to add the straw that would break the camel's back. Cybercriminal groups didn't miss the opportunity and DDoS boomed. Kaspersky reported that DDoS attacks doubled in the first quarter of 2020 and tripled in the second quarter. Moreover, attackers piled on the pressure with each attack. Corero data shows that there was 70 percent growth in attacks over 10 Gbps. The probability of repeat attacks increased by 68 percent with many organisations being attacked one week and then experiencing follow up attacks the next week.

Attackers saw an opportunity to not just exploit this weakened state, but to leverage vulnerabilities in the very thing that was holding remote work together - the VPN.

During 2020, Corero saw a near 400 percent increase in the use of OpenVPN reflections as an attack vector - in which gangs would use the OpenVPN infrastructure of one organisation to launch DDoS attacks on another organisation. The victims of the attack would obviously suffer from the usual effect of a DDoS attack, but those whose OpenVPN infrastructures were being used as a vector also suffered from degradation in service and maybe completely unusable VPNs.

Another VPN provider, Powerhouse Management, could be exploited to send amplified DDoS attacks. One anonymous security researcher discovered the vulnerability and published their

research on GitHub, showing that the UDP ports of 1500 Powerhouse VPN servers were exposed, and could be used to launch DDoS attacks.

Beyond the pandemic

Remote work looks like it’s here to stay. Mass remote work seems to have proved popular with both employees and employers. The giants of Silicon valley announced early on that they would install remote work so sturdily within their workforces that only a portion of workers would have to be at the office at any one time. Facebook CEO Mark Zuckerberg said last year as much as 50 percent of Facebook’s employees could be working remotely in the next five to ten years. Spotify announced earlier this year that it would be moving to a “work from anywhere policy” for its 6000 employees. The most open throated vindication of remote work was made by Twitter CEO Jack Dorsey, when in 2020 he sent a letter to all Twitter employees saying that his employees would be able to work from home “forever.”

But these are merely a few examples of a broader popularisation of remote work. In April 2021, staffing company Robert Half found 49 percent of all workers said they preferred a hybrid work arrangement in which they spent a portion of their time working in the office and a portion working remotely. Over a third - 34 percent - of respondents said they might quit their jobs if they were made to return to the office full time. A 2021 Dice survey showed that among tech workers, only 17 percent viewed a full return to the office as desirable, where as 59 percent favoured a flexible or fully remote arrangement.

This kind of fundamental shift away from the known quantity of in-office security to a “work from anywhere” model, brings new risks, considerations and of course, vulnerabilities.

Ransomware surged during the pandemic, and according to experts that was largely down to the sudden prevalence of remote work. Many pandemic era ransomware attacks were carried out by attacking the VPNs which employees relied on to work remotely. The breach of Japanese gaming giant Capcom was carried out in precisely this manner.

The same is true for DDoS and VPN, devices which can be easily overloaded with relatively modest attacks. This is a cheap strategy for attackers and a costly outcome for victims. When one VPN is taken down, a whole number of remote workers can lose access to important enterprise systems - thus flinging them into a spiral of downtime and lost productivity.

In this new landscape DDoS threats may also find fertile ground. What makes remote work so vulnerable to DDoS is the sensitivity of its dependencies. Mass remote work requires a great deal of connectivity to ensure smooth sailing outside the workplace - and that gives DDoS gangs a new range of targets to exploit.

Remote working is bandwidth heavy and likely contributed massively to the spike in internet use during the pandemic. As such, we have never been quite as reliant on internet service providers and telecommunications. For attackers, this presents a valuable target to exploit, and potentially extract value from. If one were to paralyse remote working, then they would similarly paralyse the business and could potentially hold them to ransom.

The same is true of service providers who hold up the connectivity for hundreds if not thousands of clients. In late 2020, a DDoS gang launched a 400 gbps attack at Norwegian Telecoms provider, Telenor and demanded a 20 Bitcoin ransom to cease the attack. While Telenor did not pay the ransom, it's not hard to see how damaging an outage could have been to their customers, nor how valuable the return of service could be.

The sudden introduction of mass remote work into the stable and secure networks of the pre-pandemic era is changing our expectations around IT and security. Like so many innovations, it’s been created under great pressure and with such speed that few have had the time to think of the larger security implications. Meanwhile, cybercriminals and DDoS gangs are readily adapting to this new landscape and enterprises need to play catch up.

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.