Kaspersky Lab Sees Rise In Botnet Activity

Cybersecurity

Kaspersky Lab saw an increase in activity by both old and new botnets as well an increase in popularity of amplification distributed-denial-of-service (DDoS) attacks in the first quarter of 2018. The company also noticed the return of long-lasting (multiday) DDoS attacks, according to its 2018 DDoS Intelligence Report.

The cybersecurity company noticed a particularly long DDoS attack that lasted 297 hours — more than 12 days. That was the longest cyberattack the company recorded since the end of 2015. Overall, DDoS botnets attacked online resources in 79 countries. Kaspersky Lab also reported that China, the U.S. and South Korea continued to see the largest number of attacks. But Hong Kong and Japan replaced the Netherlands and Vietnam among the top 10 most-targeted countries during the first quarter.

The report also noted changes in the top 10 countries hosting the most C&C (command & control) services: Italy, Hong Kong, Germany and the United Kingdom replaced Canada, Turkey, Lithuania and Denmark in that ranking. The changes were likely the result of more active C&C servers of the Darkai, more AESDDoS bots and the return of the Xor and Yoyo botnets. While most of these botnets use Linux, the proportion of Linux-based botnets decreased from 71 percent in the last quarter of 2017 to 66 percent in the first quarter of 2018.

Kaspersky also noted that amplification attacks gained momentum in the first quarter of 2018. In particular, the company noticed a rare type of attack in which the LDAP service was used as an amplifier. Along with Memcached, NTP and DNS, this service has one of the biggest amplification rates, the company said.

“Exploiting vulnerabilities is a favorite tool for cybercriminals whose business is the creation of DDoS botnets,” Alexey Kiselev, project manager on the Kaspersky DDoS Protection team, said in a statement. “The events of the first quarter reaffirm a simple truth: The platform companies use to implement multilayered online security must include regular patching of vulnerabilities and permanent protection against DDoS attacks.”