Qrator Labs 2017 Report on Cybersecurity

We would like to present you, the reader, a shorter version of the annual Qrator Labs report on cyber- and infosecurity, as well as DDoS, that covers the year 2017. Special thanks to our longstanding partner — Wallarm, for supporting us with content on notable vulnerabilities and hacks.

In 2017 Qrator Labs and Wallarm noticed increasing diversification of threats from a widening variety of attack methods. The range of critical vulnerabilities on today’s web is so broad that attackers can choose from many different methods to create problems for almost any organization. A growing number of tools can operate automatically making centralized command & control unnecessary.

If 2016 could be named the year of botnets and terabit attacks, then 2017 was the year of ransomware and routing. The incidents, like Google in Japan and Level3 in the United States, Rostelecom in Russia, and many others demonstrate the persistently strong risks from human factors rooted in mismanagement and insufficient automation. A brave engineer who confidently cancels an important automated script could create the possibility of severe issues in internet service availability and accessibility.

Number of attacks dynamics

Deeper into the rabbit’s hole

We have seen how fast, in just the past year, the whole world transitioned from one state to another. Extortion emails simply threatening DDoS-attacks mass emailed to thousands of companies can provoke panic. Such a state neither helps in protecting the resource, nor allows for long-term planning. Threats should be addressed in advance with preparation.

Many IoT devices are still being hacked by exploiting trivial vulnerabilities, like those involving web UI. Almost all such vulnerabilities are critical, but vendors have limited options, since there is no possibility to deliver a fast patch and upgrade.

IoT hacks have increased since the Mirai toolkit became a standard botnet creation method in 2017. However, an earlier series of botnets had been developed separately and Mirai used some ideas from their code.

More botnets, looking at the BlueBorne, could be easily predicted — more in number and scale, more dangerous, more rigid. Looking ahead in the near term, with the possibility of spreading worms via Wi-Fi we anticipate a rise of botnets made for “small” devices, like smartwatches.

We expect to see the disbursal of massive botnets, capable of flooding without exploiting amplification protocols.

L7 (application layer) attacks are as dangerous as they were before.

If you are an enterprise with a dedicated L2 (data link layer) channel to your connection service provider, it is only a matter of time before any single piece of unsecured equipment or third-party service provider connection is exploited. Commercially offered DDoS-attacks were quite complicated in 2017 — something could be bypassed, something hacked, eventually, the damage is done. 2017 again showed that Windows-based botnets never disappeared. The effects of WannaCry, Petya and NotPetya could be re-created as a DDoS attack, when a subtle software manages the traffic generated from a single computer within a strong network. In our view botnets are becoming bigger — We may be nearing a break-out point where new versions of malware networks assault the internet.

High-bandwidth attacks with Windows-based botnets made last-year’s joke about 1 Tbps L7 attack a sad reality we are seeing more often. So hundreds of application layer Gbps could become a reality in 2018. Right now everything that could be broken with such of attacks (application layer) dies before the offending bandwidth reaches such levels.

Number of attacks on chosen customer segments​

Legacy Infrastructure

In 2017 routing incidents became as infamous as botnets were in 2016. A successful DDoS-attack could render just one, single and separate, web resource or application unavailable, or it could be massive (consider the popular social networks) and dangerous for entire ecosystems using interconnected tools or pieces of infrastructure (hosting, ISP). As we have seen, routing outages could be overwhelming and severe, taking offline almost a whole country.

The networking incident between Google and Japan was perhaps the most severe example of what could happen due to BGP misconfiguration by a big, though single, content provider.

Inthe case of the BGP, we need to be extremely careful, because the possible damage could be immense. Since BGP manages all traffic from one AS to another, we are talking not only about increased latencies for users but more importantly — the possibility of Man in The Middle attacks on encrypted traffic. Such incidents could affect millions of users, entire nations even.

We still live in a world of the open network, but this is increasingly to be appreciated as a luxury and not taken for granted. In 2017, the fact that anyone could get an LIR status and own an AS, thereby becoming an operator is excellent and deserves to be highlighted.

Human factors always have been, are and will continue to be the most vulnerable points of entry for any company or internet service. On the contrary, the human element is also the strongest point of defense, since people do all the work and everything is in their hands. Known technology issues are closely related since the code was also written by a person. It was frighteningly easy to exploit the whole networking world in 2017. All attention was drawn to routing incidents and the ability to successfully intercept any traffic for future or even current needs makes BGP misuse highly probable.

Amount of attacks vs. Attacks bandwidth

Vulnerabilities and Intranet

2017 was also a year of many hacks. From encrypting malware pestilence to exploiting the archives of Vault7 and ShadowBrokers, in addition to notable “human factor” data leakages, with Uber and Equifax being two examples.

Everything is vulnerable. So the real talk should be not about “what’s most vulnerable” but “where the vulnerability can be found earlier.” Where there are vulnerabilities — there are attacks. Moreover, we have common technologies that can replicate weaknesses, patching one and opening another — and attackers watch this activity closely. They know that the more significant a vendor is, the more time it will take for them to develop and deliver a patch.

The Cloud is already a legacy system with issues that are being inherited by new generations of technology. The Uber and OneLogin leaks started with the Amazon keys being publicly exposed on Github or elsewhere.

Another serious issue is the situation with MongoDB, Cassandra, Memcached and other databases in use. When administrators forget to set an appropriate level of security attackers will find those holes. This was the case with the Ai.Type smartphone keyboard when it lost the data of 31M user accounts with almost key logged activity.

2017 showed that many different kinds of hardware could be vulnerable to numerous types of cyberattacks. We will see many more incidents involving outdated hardware and software.

Smartphone-enabled attacks could be made by either malware applications in stores or based on vulnerabilities. Browser extensions, network devices (already suffered enough during the last three years) and middleboxes, all could be tested for resistance to attack again and again and would probably fail.

The main purpose of building a DDoS-attack mitigation solution is to establish a defense that is cheaper than the offense, taking the financial advantage from the attackers. And this is a very difficult task because of two strong factors:

A. Reckless approach to main infosecurity issues and threats

B. Threatened infosecurity market, news affecting companies lives

Attacks duration, minutes


A whole new market for ICO hacks has grown throughout 2017. The tendency of attacking during an organization’s most stressful moment persists, and with various cryptocurrency startups, these come in the form of hacks or DDoS’s, often in combination. If the ICO market grows we expect this trend to increase as well.

ICOs are of primary interest to both sides of the market. Because of cryptocurrencies and ICO’s, a whole new industry of hacking them has emerged before our eyes. There are large amounts of money, and the technical side is rather weak, which we described in 2017. They are being hacked continuously.

BTC mining pools are experiencing DDoS attacks in the last seconds of each block to spawn additional branches of correct calculation. Cloud wallets are also under fire and we saw several hacks throughout the year. Cryptocurrency mining on foreign machines could be profitable, even for zombie machines like old PCs and servers that were infected.

Networking attacks on the hyperledger infrastructure (like DDoSing bitcoin mining pools at the end of each block) and cryptocurrencies will grow in numbers. Each complex technology has a foundation, and if there are fractures in it, the building would not last for long.

Few more words

APIs (Application Programming Interface) become more and more critical for the more significant customers — they are more professional, and want to have more control over traffic scrubbing and filtration. This shouldn’t be underestimated.

Probably most notable are not the attacks themselves but the progress we as vendors of the security solutions have made in learning as we begin to cooperate and communicate, not just compete, in order to mitigate dangerous threats, like botnets. When they start to appear, threatening the existence of entire industries not just “naturally selected” companies, cooperation begins on multiple levels: formal, informal, B2G and B2C. We have already seen success in suppressing the botnets deployed in 2017, we hope to see it again in the future.

Here is the full version PDF.

Thanks for reading!