Microsoft details DDoS attacks against healthcare, recent campaigns from KillNet

Microsoft on Friday shared details about the distributed denial-of-service (DDoS) attack landscape against healthcare applications hosted in Azure whilst highlighting the recent attack campaigns launched by KillNet or its affiliated hacktivist groups.

Killnet is a pro-Russia hacktivist group known for its DDoS campaigns against western countries, targeting governments and companies with a focus on the healthcare sector. According to Microsoft's security researchers, the group attempted to evade DDoS mitigation strategies by changing their attack vectors, such as utilizing different layer 4 and layer 7 attack techniques and increasing the number of sources participating in the campaign.

Microsoft measured the number of daily DDoS attacks on healthcare organizations in Azure between November 18, 2022, and February 17, 2023, and observed a significant increase in the frequency of attacks, with the number of daily attacks rising from 10-20 in November to 40-60 in February.

Among the various types of healthcare organizations, pharmaceutical and life sciences organizations were attacked the most, accounting for 31% of all attacks. Hospitals were the second most targeted with 26%, followed by healthcare insurance with 16% and health services and care organizations with 16% of all attacks.

The Microsoft Azure Network Security Team also observed a combination of multi-vector layer 3, layer 4, and layer 7 DDoS attacks. These attacks primarily focused on web applications and utilized a combination of TCP and UDP vectors. The researchers observed layer 7 DDoS attacks consuming many TCP connections and keeping them alive long enough trying to deplete memory state resources to render the application unavailable - a repeated pattern noticed in several cases for attacks attributed to KillNet.

Here's the distribution of DDoS attack types targeting healthcare:

• UDP floods - 53.16%
• TCP - 44.42%
• IP flood - 1.78%
• Packet anomaly - 0.36%
• UDP amplification - 0.28%

As for the campaigns launched by KillNet and affiliate hacktivist groups, the attack targeted a healthcare provider. The attack lasted less than 12 hours and included TCP SYN, TCP ACK, and packet anomalies. The attack throughput wasn't very high, hitting 1.3M pps, and was successfully mitigated.

Similarly, a multinational industrial company was hit by a DDoS attack which lasted several days and included layer 4 TCP SYN and ACK, as well as layer 7 HTTP request attacks on the company's website. The attack volume was similarly not very high, hitting 250K pps, and the majority of the traffic pattern appeared as if it was legitimate client traffic.

According to Microsoft, Russia, Ukraine and the United States were the top three countries from which KillNet and its affiliated adversaries launched the botnet attack. These attacks were successfully mitigated with Azure DDoS Network Protection and Web Application Firewall services.

The blog post also outlines steps to protect against and respond to DDoS attacks, which include enabling DDoS Network Protection, designing applications with DDoS best practices, creating a response plan to quickly recover from such attacks, continuous monitoring of resources and conducting a retrospective after experiencing an attack.

You can find more details about the DDoS attack landscape, mitigation strategies and measures to defend against attacks on the Microsoft Security blog.