Axios Codebook

Less-sophisticated website takedowns are proving to be hackers' tool of choice this summer — alarming government officials and putting major companies on the defensive.

Driving the news: The Cybersecurity and Infrastructure Security Agency released an advisory right before the holiday weekend warning about reports of several distributed denial-of-service (DDoS) attacks targeting "multiple organizations in multiple sectors."

• Microsoft confirmed last month that a DDoS attack caused outages across its Azure, Outlook and OneDrive services.

The big picture: For decades, hackers have been using DDoS attacks to briefly take websites offline by overwhelming their servers with an absurd amount of malicious bot traffic.

• But in the last few months, the number of DDoS attacks has grown — and more sophisticated hackers have started using them as part of larger hacking campaigns to further antagonize their victims.

What they're saying: "As we have this sort of fragmented approach and this move to APIs and move to the cloud and all of these things, what we're seeing is a lot more instances where attackers are able to hit these websites where it hurts," Erick Galinkin, principal researcher at Rapid7, told Axios.

Zoom out: The cybersecurity establishment has largely shrugged off DDoS attacks, since they've typically been the work of low-level hacking groups looking for media attention or to make a name.

• The attacks also don't last long: 89% of DDoS attacks in 2022 lasted less than an hour, according to Microsoft.
• DDoS has also been the tactic of choice among politically motivated hacktivist groups, like Killnet and Anonymous Sudan, in the last year.

By the numbers: The total number of DDoS attacks grew 47% in the first quarter of 2023 compared to the same period last year, according to a report from cybersecurity company StormWall.

• Attacks on the finance sector and e-commerce companies saw the biggest growth, the report noted.

Between the lines: DDoS attacks have gotten longer and larger, according to Cloudflare, a company that provides DDoS protection.

• Part of the reason for this is that botnets — networks of malware-infected computers controlled by an attacker — are much easier to create and deploy for attacks, Galinkin said.
• "Now you can build a 14-million-strong botnet by infecting lightbulbs and thermostats and fridges and things," he said. "The attack surface for creating the bots that generate the traffic is much larger than it ever has been."

The intrigue: Some hackers have also started combining the ease of launching a DDoS attack with the financial payoff offered by ransomware.

• Galinkin said he's spotted ransomware gangs and data theft extortionist groups launching DDoS attacks on some of his clients while they weighed whether to pay a ransom to decrypt their files or prevent a data leak.
• 16% of those surveyed in Cloudflare's report said that in the first quarter of 2023, they faced a "ransom DDoS attack," where hackers demand a ransom to either stop or avoid a botnet attack on an internet-connected application.

Yes, but: The significance of a DDoS attack still depends on what kind of organization is targeted and for how long, Galinkin said.

• An attack on an e-commerce site that relies heavily on its website to bring in revenue has a bigger impact than an attack on a hospital's payment processing portal, which wouldn't affect core operations, he added.

Be smart: To prepare for an attack, companies should create a contingency plan, such as having a backup server to quickly switch to, in the event they're taken offline, Galinkin said.

• CISA recommended organizations enroll in a DDoS protection service and take inventory of assets that are exposed to the internet.

A court ruling this week is calling into question how the nation's cyber defense agency — as well as several other federal offices — will coordinate their election disinformation efforts leading up to 2024.

What's happening: Earlier this week, a Louisiana federal judge issued a preliminary injunction barring several officials and agencies from communicating with social media companies about content moderation issues.

• Affected entities include several offices focused on election disinformation, including CISA, the Department of Justice and the State Department.
• The Biden administration has appealed the ruling.

Zoom out: The preliminary injunction stemmed from an ongoing lawsuit from Republican attorneys general in Louisiana and Missouri who alleged the administration's efforts to get social media companies to crack down on COVID-19 disinformation, as well as other issues, violate the First Amendment.

Why it matters: The 2024 U.S. election cycle is already in full swing, and the injunction is already reportedly having an impact on the government's election security efforts.

• The State Department canceled a regular meeting with Facebook officials this week to discuss 2024 election preparations and hacking threats, the Washington Post reported.
• Facebook was also scheduled to meet with CISA officials on Thursday, according to the Post, but it's unclear whether that meeting was also canceled. CISA declined to comment Thursday on the impact of the injunction.

The big picture: GOP politicians have been skeptical of CISA's disinformation efforts ever since the 2020 election, when the agency declined to support President Donald Trump's false claims that the vote was rigged.

• Last week, a House Judiciary Committee subcommittee released an interim staff report claiming that CISA is "surveilling and censoring American citizens online, directly and by proxy" under the "pretext of protecting 'election infrastructure.'" CISA called those claims "patently false."

Zoom in: CISA's election security efforts rely heavily on coordination with social media platforms to share information about disinformation and threats they're each seeing — including those from foreign adversaries.

• Each election cycle, the agency also debunks lies, or "rumors," about the election on its website.

Yes, but: The Biden administration filed a motion Thursday to keep the injunction from going into effect while its appeal is considered, arguing that the government "faces irreparable harm with each day the injunction remains in effect."

More than 200 organizations are now said to be facing a data breach tied to security flaws discovered roughly six weeks ago in a popular file-transfer program.

Why it matters: So far, more than 17.5 million victims' data could have been affected by the breaches, according to a tally maintained by Emsisoft researcher Brett Callow. And that number continues to grow nearly every day.

The big picture: The victim list spans several sectors, from energy giant Shell to Wisconsin's Madison College.

• Hackers are believed to have targeted since-patched vulnerabilities in Progress Software Corp.'s MOVEit file-transfer tool to access the sensitive data its customers transferred through the tool.

Catch up quick: Progress Software first notified customers about malicious hackers exploiting a "zero-day" flaw in MOVEit in late May.

• Since then, Progress has patched a couple of other recently discovered vulnerabilities, and federal officials have warned that their own agencies are responding to MOVEit-related incidents.

The intrigue: Russia-linked ransomware gang Cl0p has claimed responsibility for exploiting the MOVEit flaw.

• Cl0p also ran a similar hacking campaign in 2020 targeting the Accellion file-transfer tool.

Yes, but: Detecting and stopping this kind of cyberattack is tricky, since organizations don't always know what tools their employees are running on their devices.

Be smart: Identity fraud experts suggest affected individuals take steps to blunt the impact of hackers stealing their data, including changing their email account passwords and signing up for data broker opt-out services.

@ D.C.

🤫 The Pentagon is planning to tighten its qualifications for who can access classified information after this year's Discord leak. (CBS)

👾 An inside look at how the FBI took down the Hive ransomware gang earlier this year and how the operation marked a shift in the bureau's cybercrime-fighting strategy away from arrests. (Politico)

@ Industry

🧵 Meta's new Twitter competitor, Threads, collects a lot of sensitive information about users, including health and financial information, precise location, and contact information. (TechCrunch)

📉 Cybersecurity firm IronNet received a noncompliance notice from the New York Stock Exchange for failing to file its earnings report on time. (Cybersecurity Dive)

@ Hackers and hacks

⚠️ CISA, the FBI and other organizations have warned that malicious hackers are using a new TrueBot malware to target companies. (The Record)

📦 Toyota is planning to suspend operations at a packaging line after a ransomware attack hit Japan's biggest port last weekend. (Reuters)

📺 Nickelodeon said it's investigating a potential breach following social media rumors that roughly 500 gigabytes of stolen data had been published online. (The Register)

If you're feeling overwhelmed by the sheer number of Twitter replacements that have cropped up online in recent months, you're not alone.

• I am on all of them — Threads, Bluesky, Mastodon and Twitter — although, yes, Threads does collect quite a bit of your personal data.
• I'd love to figure out which one you're all flocking to. If you have a favorite, let's hear it!