New DDoS-as-a-Service Platform Targeting Hospitals

Pro-Russian threat operators have employed a new DDoS-as-a-Service (DDoSaaS) platform called “Passion” in recent attacks against medical institutions in the United States and Europe. DDoS (distributed denial of service) attacks occur when threat actors send numerous requests and trash traffic to targeted servers, causing them to become overwhelmed and stop responding to valid requests. DDoS-as-a-Service platforms rent out their available firepower to individuals wishing to launch disruptive attacks on their targets, removing the need for them to construct their own massive botnets or organize volunteer action.

New DDoS-as-a-Service Platform

The botnets are often constructed by compromising vulnerable IoT devices, including routers and IP cameras, and merging them into a huge swarm that makes malicious requests toward specific targets. Even though the origins of the Passion platform are unknown, the operation has distinct ties with Russian threat operator groups, including Killnet, MIRAI, Venom, and Anonymous Russia. Last month the Passion Botnet was used in cyberattacks targeting medical institutions in the United States, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom in retaliation for sending tanks in support of Ukraine.

The Passion DDoS-as-a-Service platform’s operators first advertised their service in early January 2023, performing various defacements on Japanese and South African organization websites. The service works on a subscription basis, with clients able to purchase desired attack vectors, duration, and intensity. Passion provides ten attack vectors that allow subscribers to customize their attacks when needed and combine vectors to avoid targets’ mitigations. The following DDoS-as-a-Service attack methods are supported.

• HTTP Raw
• Crypto
• UAM Browser
• HTTPS Mix
• Browser
• Bypass
• DNS l4
• Mixamp l4
• OVH-TCP l4
• TCP-Kill l4

A seven-day subscription to the service costs $30, a monthly cost of $120, and a full year costs threat actors $1,440. Bitcoin, Tether, and the Russian payment provider QIWI are all accepted. Passion demonstrates its L4 and L7 attack capabilities and effectiveness against DDoS mitigation providers, including CloudFlare and Google Shield using Dstat.cc measurement service. The pro-Russian DDoS crowdsourcing operation “DDOSIA” was created in October 2022, compensating volunteers who participated in attacks and awarding considerable amounts to those who offered the most firepower. Passion is added to an already thriving DDoS ecosystem which increases the situation for global companies that are victims of the attacks.

As threat actor groups are looking to utilize new attack methods and techniques, including DDoS-as-a-Service (DDoSaaS) platforms, it’s critical for global companies to always remain informed of the current threat landscape and regularly update their network infrastructure to prevent future attacks. At SpearTip, our team recognizes security challenges in the cloud aren’t the same as with on-premises solutions. Our vast experience and proven methodology provide our clients with a comprehensive picture of the risks present within their cloud infrastructure and the remediation steps. Our team focuses on security misconfigurations and deviations, including reviewing account privileges and analyzing current logging details from recommended cloud security architecture. SpearTip discovers vulnerabilities in firewall systems and allows companies to dedicate their valuable resources to evaluate and prioritize fixes by providing visibility of actual network gaps, including existing false negatives. We provide clear remediation steps for all uncovered weaknesses to ensure a strengthened security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.