City destroyed by Tsunami waves showing the sustained DDoS attacks on South African banks
Sustained DDoS Attack on South African Banks Accompanied by Ransom Notes by Scott Ikeda

Sustained DDoS Attack on South African Banks Accompanied by Ransom Notes

South African banks have been experiencing a sustained campaign of distributed denial of service (DDoS) attacks since last week, as part of a wave of ransom-driven incidents taking place throughout October.

The South African Banking Risk Information Centre (Sabric) issued a warning that banks in the country had been experiencing repeated attacks of this nature, and that ransom notes had been delivered to a number of staff email addresses. These attacks appear to have begun sometime early in the month.

The DDoS campaign does not appear to be related to the recent attack on the IT infrastructure of Johannesburg, in which a ransom was also demanded. It is unclear if there is any relationship with recent hacking activity directed at South African ISPs, which have been hit by a wave of similar attacks in recent weeks.

The statement indicated that this is believed to be a part of a multi-jurisdictional attack that has been taking place in locations outside of South Africa, but did not name the other countries being targeted.

Impact of the 2019 South African bank DDoS attacks

Impact to South African bank customers has been minimal thus far. The Sabric statement indicated that the organization expects this to continue to be the case, anticipating only “minor disruptions” to online services.

The statement also indicated that no customer information had been exposed in the wave of ransom driven attacks.

The DDoS attacks appear to be focusing on the public-facing elements of South African banks. This attack type is not a data breach risk to sensitive customer data or financial information, as it seeks only to knock bank servers offline by pestering them with constant requests from thousands of devices.

South Africa’s ongoing cyber security woes

The wave of attacks comes only months after a report in the national Times newspaper indicating that South African cybersecurity was in a precarious state, due primarily to a lack of available skilled staff in the country.

With a significantly higher rate of internet connectivity than most other countries in Africa, South Africa is a major regional target. Ironically, the banking sector of the country has generally been regarded as being the best-prepared for potential cyber attacks. However, even in the banking sector, both public and private industry have been very reluctant to share information about any sort of cyber attacks.

A regional security study conducted over the summer by World Wide Worx reinforces the idea that organizations in the country are anticipating a realistic level of cyber attacks and are trying to be prepared, but are struggling to keep their IT security staff at adequate levels. 35% of South African businesses are expecting regular attacks, and 57% are equipped to detect an attack within a few minutes, but only 55% feel that they have adequate skill in their IT security teams to successfully protect the business. 77% of IT decision makers also reported running outdated software that made the company highly vulnerable.

All of this is part of a general “brain drain” experienced across all of South Africa’s professional sectors in the past few years. The country has lost about 900,000 skilled professionals, and cannot keep up with importing replacements due to restrictive visa policies. These professionals are mostly fleeing due to significant economic advantages in other English-speaking countries that have a similar shortage of qualified professionals.

Financially motivated DDoS attacks trending upward?

DDoS-attacks-for-ransom are not a new phenomenon, but they have not generally been a preferred method of cyber criminals seeking remuneration.

DDoS attacks have typically been more the province of disgruntled former employees, or even students looking to postpone a test they do not want to take. This attack type has to date been associated more with mischief, petty revenge and projection of power than as a means of reliably making money.

That may be changing. While phenomena such as the resurgence of ransomware and the abundance of unprotected cloud storage servers have been dominating the news, DDoS attacks have been quietly growing as well. In the first quarter of 2019, the overall attack count was up 200% from 2018 and attacks of over 100 GB in size were up a whopping 967%.

DDoS attacks are the primary driver behind the creation of botnets, which are in turn mostly composed of Internet of Things (IoT) devices. What use is a compromised smart coffee maker or smart thermostat? The main use is as one of thousands, even millions of devices yoked together in a botnet to drain the cyber resources of a DDoS target with repeated online requests.

Unfortunately, the IoT industry has a broad and unresolved security problem. Many products ship with no password at all, or a default password that is common to that device type and cannot be changed. Even if the end user is able to change the password and practices good security hygiene with all of their IoT devices, the manufacturer may undercut them by never pushing firmware patches to address vulnerabilities that have developed.

Protection from DDoS attacks

DDoS protection is usually handled capably by a good web host. Network capacity is the key concern. Most hosts have much greater capacity than the typical DDoS attack size, which is why you don’t hear about these attacks grinding web activity to a halt every other day.

Organizations in South African tried to be prepared for #cyberattacks but are struggling to keep their IT security staff at adequate levels. #respectdataClick to Tweet

The massive spike in large-scale DDoS attacks in 2019 is a somewhat troubling trend in this regard, but these attacks are typically not a big concern for businesses unless they are using a smaller web host (or for some reason are hosting on their own local servers without resources and redundancy measures distributed in the cloud).