CISA warns of targeted DoS, DDoS attacks across organizations in various sectors

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced Friday that it is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against several organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.

“If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance,” CISA said in an alert. The agency also called upon organizations to contact their network administrator to confirm whether the service outage was due to maintenance or an in-house network issue. “Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.”

The agency also suggested that organizations contact their internet service provider (ISP) to ask if there is an outage on their end or if their network is the target of an attack and they are an indirect victim. “They may be able to advise you on an appropriate course of action,” it added.

In January, the U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3) identified in an analyst note that the KillNet hacktivist group is actively targeting the healthcare and public health sector. It also revealed that the group has previously targeted the U.S. healthcare industry and is known to launch DDoS attacks while also operating multiple public channels aimed at recruitment and garnering attention from these attacks.

Before that, in October, about 14 public-facing U.S. airport websites, including those for some of the nation’s largest airports, were inaccessible as a pro-Russian hacker group claimed responsibility for the attack. The KillNet group has been using DDoS (distributed denial of service) cyberattacks. While no immediate impact on actual air travel was reported, there have been suggestions that the cyberattacks may have inconvenienced people seeking travel information.

“Although a DDoS attack is unlikely to impact the confidentiality or integrity of a system and associated data, it does affect availability by interfering with the legitimate use of that system,” CISA identified in a guidance released last October. “Because a cyber threat actor may use a DDoS attack to divert attention away from more malicious acts they are carrying out—e.g., malware insertion or data exfiltration—victims should stay on guard to other possible compromises throughout a DDoS response. Victims should not become so focused on defending against a DDoS attack that they ignore other security monitoring.”

“A DoS attack is categorized as a distributed denial-of-service (DDoS) attack when the overloading traffic originates from more than one attacking machine operating in concert.” the document said. “DDoS attackers often leverage a botnet—a group of hijacked internet-connected devices—to carry out large-scale attacks that appear, from the targeted entity’s perspective, to come from many different attackers.”

The document further outlined that in a progressively interconnected world with additional post-pandemic remote connectivity requirements, maintaining the availability of business-essential external-facing resources can be challenging for even the most mature IT and incident response teams. “It is impossible to completely avoid becoming a target of a DDoS attack. However, there are proactive steps organizations can take to reduce the effects of an attack on the availability of their resources,” it added.

It further identified that many ISPs have DDoS protections, but a dedicated DDoS protection service would likely provide more robust protections against larger or more advanced DDoS attacks. Agencies should evaluate current defenses against DDoS, verify DDoS protections are in place, and consider implementing more robust protections if the agency determines its current protections may be lacking.

At the same time, CISA released a Capacity Enhancement Guide that provides federal civilian executive branch (FCEB) agencies additional DDoS guidance that includes recommendations of contract vehicles and services designed for, and only available to, FCEB agencies.  

The guide suggested that FCEB agencies must ensure to include all identified high-value assets (HVAs) when assessing critical assets and services for vulnerabilities and exposure to the internet. They must also enroll all publicly exposed assets in CISA’s Cyber Hygiene Services and verify appropriate configurations of the existing monitoring tools, and conduct at least one agency-level DDoS tabletop exercise. These resources aid stakeholders in conducting exercises and promoting discussions on threat scenarios within organizations.

Last week, the CISA and the National Security Agency (NSA) released joint guidance on defending Continuous Integration/Continuous Delivery (CI/CD) environments. The Cybersecurity Information Sheet (CSI) provides recommendations and best practices for organizations to strengthen the security of their CI/CD pipelines against the threat of malicious cyber hackers.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.