Threat group KillNet has begun selling a new distributed denial of service (DDoS) tool which analysts fear will encourage more cybercriminals to launch DDoS attacks.
The launch of the new tool — which can be rented for a day, a week, or a month — comes as the volume of HTTP DDoS attacks jumped 65% in the three months ending in September.
In an Oct. 26 post, analysts at SOCRadar said they observed KillNet marketing its new “DDoS-for-hire” service on Telegram. The Russian-speaking gang launched the “potent” DDoS tool with another Russophone threat actor, CombatOsint.
“This tool has been designed with precision-targeting in mind. It can allegedly focus its efforts on ‘unfriendly countries,’ suggesting a geopolitical dimension to its use,” the analysts said.
“KillNet seems to have streamlined the user experience, making it easy for individuals to launch attacks without requiring extensive technical know-how.”
SOCRadar described the introduction of the powerful DDoS tool as concerning.
“If it lives up to the hype, businesses, especially those in the mentioned ‘unfriendly countries,’ might have to brace themselves for a surge in potential cyber-attacks.”
The threat group was offering the service via a flexible pricing model under which users could choose between 24-hour, seven-day, or monthly access.
“This flexible pricing model indicates KillNet’s intention to make the tool accessible to a broad audience,” SOCRadar said.
DDoS attacks getting cheaper
Netscout senior threat intelligence analyst Chris Conrad said while news of the new DDoS-for-hire service was concerning, KillNet’s latest venture was far from unprecedented.
“The digital underworld has long been teeming with such services and botnets, which have been persistent menaces for years,” he said.
Earlier this year, the Passion Group, which is linked to KillNet, was observed offering DDoS services to pro-Russian hacktivists.
In its post, SOCRadar shared a Telegram post from another threat group, Krypton Networks, asking its followers if they wanted it to release version 3 of its botnet service, which targets large organizations such as Spotify.
Conrad said tools for launching cyberattacks had become significantly cheaper and easy to access.
“DDoS attacks, once the domain of skilled antagonists, are now accessible to virtually anyone. Astonishingly, with as little as $20, individuals ranging from mischievous teenagers to malevolent adults can unleash cyber havoc.”
Hyper-volumetric attacks spike
In its latest quarterly DDoS threat report published Oct. 27, Clouflare said the volume of HTTP DDoS attacks jumped 65% between the second and third quarters of 2023.
A major contributor to the rise was a surge in hyper-volumetric attacks resulting from a “sophisticated and persistent” DDoS attack campaign that exploited the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487).
The campaign involved thousands of DDoS attacks that peaked in the range of millions of requests per second (rps), with the largest attack hitting a record 201 million rps — almost three times the previous record.
“The challenges that defenders against DDoS face today is the fact that these types of attacks are increasingly volumetric and effective with record-breaking attacks being presented at least once a year,” said Centripetal security engineer Colin Little.
He recommended security teams review the guide to responding to DDoS attacks published last year by the Cybersecurity and Infrastructure Security Agency (CISA).
Netscout’s Conrad said KillNet demonstrated “a distinct absence of innovation in their approach” by launching a DDoS-for-hire service that had become “standard fare” within the cybercriminal community.
“The success of KillNet’s offensives can largely be attributed to the unpreparedness of their targets rather than the sophistication of their strategies. These triumphs spotlight the critical need for robust defensive protocols and strategies,” he said.
Preparation is the best form of defense
Comcast Business executive director and cybersecurity specialist Ivan Shefrin said as well as having comprehensive monitoring and control measures in place, organizations should work with their internet service providers (ISPs) to strengthen their defenses against DDoS attacks.
“[Organizations should] partner with a security provider using distributed scrubbing centers to divert and handle malicious traffic” he said.
“They should also ensure that their ISP optimizes DDoS mitigation to differentiate between legitimate and attack traffic, minimizing false positives and enabling quick attack identification.”
Shefrin recommended making use of BGP Flowspec, a traffic filtering mechanism that extends the Border Gateway Protocol (BGP) to enable routers to exchange traffic flow specifications, allowing for more precise control of network traffic. This enabled DDoS attacks to be mitigated without disrupting legitimate data flow.
