DDoS Attack Specialist Archive

Warning of acute ransom DDoS attacks against companies across Europe and North America on behalf of Fancy Lazarus

The Link11 Security Operations Center (LSOC) has recently observed a sharp increase in ransom distributed denial of service (RDDoS or RDoS) attacks. Enterprises from a wide range of business sectors are receiving extortion e-mails from the sender Fancy Lazarus demanding 2 Bitcoins (approx. 66,000 euros): “It’s a small price for what will happen when your whole network goes down. Is it worth it? You decide!”, the extortionists argue in their e-mail. So far, LSOC has received reports of RDoS attacks from several European countries, such as Germany and Austria, and the USA and Canada.

How the DDoS extortionists operate

The perpetrators gather information about the company’s IT infrastructure in advance and provide clear details in the extortion e-mail about which servers and IT elements they will target for the warning attacks. To exert pressure, the attackers rely on demo attacks, some of which last several hours and are characterized by high volumes of up to 200 Gbps. To achieve these attack bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the contacted company is threatened with massive high-volume attacks of up to 2 Tbsp. The organization has 7 days to transfer the Bitcoins to a specific Bitcoin wallet. The e-mail also states that the ransom would increase to 4 Bitcoin with the passing of the payment deadline and increase by another Bitcoin with each additional day. Sometimes, the announced attacks fail to materialize after the expiration of the ultimatum. In other cases, DDoS attacks cause considerable disruption to the targeted companies.

Suspected perpetrators already made headlines worldwide

The perpetrators are no unknowns. In the fall of 2020, payment providers, financial service providers, and banking institutions worldwide were blackmailed with an identical extortion target and hit with RDoS attacks. Hosting providers, e-commerce providers, and logistics companies were also the focus of the blackmailers, showing they target businesses indiscriminately. They also operated under the names Lazarus Group and Fancy Bear or posed as Armada Collective. The perpetrators are even credited with the New Zealand stock exchange outages at the End of August 2020, which lasted several days.

The new wave of extortion hits many companies when a large part of the staff is still organized via remote working and depends on undisrupted access to the corporate network.

Marc Wilczek, Managing Director of Link11: “The rapid digitization that many companies have gone through in the past pandemic months is often not yet 100% secured against attacks. The surfaces for cyber attacks have risen sharply, and IT has not been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision.”

What to do in the event of DDoS extortion

As soon as they receive an extortion e-mail, companies should proactively activate their DDoS protection systems and not respond to the extortion under any circumstances. If the protection solution is not designed to scale to volume attacks of several hundred Gbps and beyond, it is important to find out how company-specific protection bandwidth can be increased in the short term and guaranteed with an SLA. If necessary, this should also be implemented via emergency integration.


LSOC’s observation of the perpetrators over several months has shown: Companies that use professional and comprehensive DDoS protection can significantly reduce their downtime risks. As soon as the attackers realize their attacks are going nowhere, they stop them and let nothing more be heard of them.

LSOC advises attacked companies to file a report with law enforcement authorities. The National Cyber Security Centers are the best place to turn.

Source: https://www.link11.com/en/blog/threat-landscape/new-wave-ddos-extortion-campaigns-fancy-lazarus/

DDoS – or distributed denial-of-service attacks – first came to prominence in the late 1990s. Even now, they are one of the biggest threats to any organization doing business on the internet.

What is DDoS?

Distributed denial-of-service (DDoS) attacks are a way of attacking online infrastructure, including websites and online applications, by overwhelming the host servers.

This prevents legitimate users from accessing the services.

The term ‘distributed’ refers to the way these attacks invariably come from a large number of compromised computers or devices.

“They can be a relatively simple type of attack to trigger and for sites without enough protection very effective”, says Gemma Allen, senior cloud security architect at Barracuda Networks.

The aim is to interrupt normal operation of the application or site, so it appears offline to any visitors.

“A DDoS puts so much traffic in the queue that your browser thinks the site is offline, and gives up,” says Brian Honan, Dublin-based security expert at BH Consulting. “The legitimate traffic can’t get through.”

What are the aims of a DDoS attack?

The purpose might be blackmail, to disrupt a rival business, a protest (DDoS attacks are frequently associated with hacktivist groups) or as part of a nation-state backed campaign for political, or even quasi-military aims.

The 2007 attack on Estonia was a DDoS attack.

Security researchers also point to DDoS attacks being used as a diversion, allowing hackers to launch other exploits against their targets, for example to steal data. This is what is believed to have happened during the attack on TalkTalk in 2015.

And, as Tim Bandos, vice president of cybersecurity at Digital Guardian, warns, DDoS attacks are not limited to online applications or websites. Any internet-connected device is at risk.

That broadens the attack surface to critical national infrastructure, including power and transportation, and the internet of things (IoT) devices.

How does a DDoS attack work?

“In their simplest form, DDoS attacks work by flooding a service with more of something than it can handle,” says Barracuda’s Allen.

“Of course, in reality, it’s not this simple, and DDoS attacks have been created in many forms to take advantage of the weaknesses.”

Allen explains that an attacker will start out with a discovery phase, setting out to identify weakness in the target site or application. They might even use a different form of DDoS to cover up that activity.

Then the attacker choses the best tool to exploit the site. They might buy an exploit on the dark web, or create their own.

On their own, though, most denial-of-service malware will have a limited impact on a well-resourced server. A DDoS attack works by operating at scale.

As Joseph Stalin supposedly said of the Red Army during WW2, “quantity has a quality all [of] its own”. So with DDoS. The exploits themselves are simple, but launch enough of them and they will overwhelm even the best systems.

To do this attackers build, or buy, a large enough “Zombie network” or botnet to take out the target. Botnets traditionally consisted of consumer or business PCs, conscripted into the network through malware. More recently, internet of things devices have been co-opted into botnets.

It’s claimed, for example, that the Marai botnet can be rented for $7,500 per attack.

“If we look at the DynDNS attack of 2016, one of the largest DDoS attacks to date, the attack occurred in phases,” says Allen.

“It first appeared in a single region and then expanded to a concerted global effort from millions of computers that had been breached and turned into a botnet.”

Types of DDoS attacks

A DDoS attack ranges from the accidental – genuine users overwhelming the resources of popular sites, such as in a ‘Reddit hug of death’ – to sophisticated exploits of vulnerabilities.

Simple attacks include the ‘Ping of Death’ – sending more data to the host than the Ping protocol allows, or Syn Flood, which manipulates TCP connection handshakes.

More recent and sophisticated attacks, such as TCP SYN, might attack the network whilst a second exploit goes after the applications, attempting to disable them, or at least degrade their performance.

James Smith, head of penetration testing at Bridewell Consulting, points to three common forms of DDoS attacks:

  • Volumetric attacks
  • Protocol attacks
  • Application (layer) attacks

“All of these render the targets inaccessible by depleting resources in one way or another,” he says.

One of the largest, and most damaging, forms of DDoS is now the UDP amplification attack. UDP is spoof-able. And, as Corey Nachreiner, chief technology officer at WatchGuard Technologies points out, very small UDP requests can generate large bandwidth attacks.

“UDP amplification gives threat actors asymmetric DDoS power. The most recently discovered UDP amplification attacks can magnify the traffic of one host by a factor of 10,000 or more. When combined with traditional botnets, this gives attackers enough DDoS power to affect ISPs.”

Currently, a memcached UDP amplification attack – which don’t need botnets – holds the DDoS record, with 1.7tbps of bandwidth.

What is the impact of a DDoS attack?

A DDoS attack affects victims in a number of ways:

  • Damage to reputation
  • Damage to customer trust
  • Direct financial losses
  • Impact on critical services
  • Impact on third parties and ‘collateral damage’
  • Data loss
  • The direct and indirect cost of restoring systems

What is the cost of a DDoS attack?

According to Kaspersky Labs, the average cost of an enterprise DDoS attack can approach $2 million.

Another report, by Netscout, calculates that the combined annual costs of DDoS attacks to the UK economy is close to £1 billion ($1.3 billion).

Akamai, another vendor in the space, publishes an online DDoS cost calculator.

The exact cost of a DDoS attack will, though, depend on the organization, the product or service it supplies, and the effectiveness of its incident response and post-incident strategy. This could range from a few tens of thousands of dollars to millions.

In the case of a nation-state attack or an attack on critical national infrastructure, the cost could be far higher – leading to social unrest or even the loss of life.

So far, no deaths have been attributed directly to DDoS attacks, but the economic impact is all too real.

How long does a DDoS attack last?

Again, this depends on the attacker, the target and their defenses. An attack might succeed in just a few moments, if the victim’s servers have few defenses. But the consensus in the industry is that an attack will last up to 24 hours.

According to Cloudflare, the largest DDoS attack – so far – against GitHub lasted about 20 minutes, due to the effectiveness of the site’s defenses.

If an attack does not take down the target in 24 hours, it does not mean the victim’s sites or applications are safe. Attackers can simply move on to another botnet, and try again with more data, or by using a different range of exploits.

Are DDoS attacks illegal?

“In the UK the Computer Misuse Act 1990 ‘makes it illegal to intentionally impair the operation of a computer or prevent or hinder access to a program/data on a computer unless you are authorized to do so’. As a result, these types of attacks are criminal under UK law,” says Bridewell Consulting’s Smith.

But law enforcement can only act if they can find the attacker. “The biggest challenge can be finding the people to prosecute,” says Barracuda’s Allen.

“The attacks are distributed and the attacking devices are often unwitting parties. The true attackers are hard to trace and while they may claim an attack, it’s not like they give out their real names.”

Recent DDoS attacks

Not all DDoS attacks are in the public domain, but here are some that made the headlines:

  • UK Labour Party, November 2019: Hacker group Lizard Squad claimed responsibility for an attack which attempted – but failed – to take down the political party’s website.
  • Wikipedia, September 2019: The site was subject to a three-day long attack, which took it offline in EMEA and slowed it down in the US and Africa
  • Telegram, June 2019: This attack is attributed mostly to China-based IP addresses
  • UPNProxy, November 2018: the Eternal Blue and Eternal Red attacks involved 45,113 infected routers.
  • GitHub, February 2018: Still cited as the largest-ever DDoS attack, at a massive 1.7tbps.
  • Dyn, 2016: Attack against US DNS provider, best known because the attack used IoT devices running Mirai malware

How to prevent a DDoS attack from happening

Dozens of vendors offer web application firewalls (WAFs), often directly through hosting providers, with the cost starting at just a few dollars a month. Businesses can also implement hardware-based DDoS mitigation hardware, at their network edge.

At the enterprise scale, the large distributed network companies, such as Akamai and Cloudflare, offer high-end, distributed DDoS protection. So do vendors, such as Verisign, HPE, and Cisco.

The most basic defense against DDoS is a DIY approach, monitoring and then shutting down requests from suspect IP addresses.

Although this approach is largely free, Brian Honan warns it is unlikely to be effective, especially against sophisticated, large-scale attacks. He also recommends that organizations place their defenses as far away as they can from their servers.

“You might be able to deal with a DDoS in your datacenter, but all of your internet pipe will be used up. So it is questionable how effective that will be,” he said.

Planning is another key element of any DDoS mitigation strategy.

“Having a plan and procedure in place in case of a DDoS attacks is paramount and having monitoring capabilities in place to detect attacks is highly advised,” says Bridewell’s James Smith.

“Organizations also need to have a well implemented patching policy and ensure anything externally facing is up-to-date to help guarantee that any service software that may contain DDoS vulnerabilities is patched in a timely manner.”

Source: https://portswigger.net/daily-swig/what-is-ddos-a-complete-guide

The issue impacts users of the vendor’s Cloud WAF product.

Imperva, the security vendor, has made a security breach public that affects customers using the Cloud Web Application Firewall (WAF) product.

Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity.

Users’ emails and hashed and salted passwords were exposed, and some customers’ API keys and SSL certificates were also impacted. The latter are particularly concerning, given that they would allow an attacker to break companies’ encryption and access corporate applications directly.

Imperva has implemented password resets and 90-day password expiration for the product in the wake of the incident.

Imperva said in a website notice that they learned about the exposure via a third party on August 20. However, the affected customer database contained old Incapsula records that go up to Sept. 15, 2017 only.


“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva also said that it “informed the appropriate global regulatory agencies” and is in the process of notifying affected customers directly.

When asked for more details (such as if this is a misconfiguration issue or a hack, where the database resided and how many customers are affected), Imperva told Threatpost that it is not able to provide more information for now.

Source: https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/

Despite increasing threats, many organizations continue to run with only token cybersecurity and resilience.

According to Ernst & Young’s Global Information Security Survey 2018-19, over half of organizations fail to make organizational protection a key part of their strategic plans. After soliciting the opinions of approximately 1,400 C-suite leaders, EY concludes that larger firms are somewhat more prone to fall short in this area than smaller ones (58% versus 54%).

Overall, EY reports, a solid 77% of organizations still operate with only lackluster cybersecurity and resilience. They may even lack a clear idea of what their most critical information assets are and where they’re located, never mind having adequate safeguards in place to protect them.

Fortunately, cybersecurity budgets are increasing, though bigger firms are more likely to increase their investments in 2019 (63%) and 2020 (67%) than smaller companies (50% and 66%).

System Outages
Whether it’s because of the convergence of operational technology (OT) and IP-based IT networks or the growing use of cloud computing, corporate reliance on the availability of global IT infrastructure is ballooning. And the consequences are rising as well.

Cyberattacks to disrupt the business are now ranked as the third-biggest threat, after phishing (No. 1) and malware (No. 2). This comes as no surprise because distributed denial-of-service (DDoS) attacks, for instance, can trigger a major service interruption that will bring the business to a standstill. Outages have always been painful, but given the trend toward moving workloads and applications off-premises, and operating revenue-critical platforms, business operations virtually come to a stop if the IP network collapses.

“Importantly, more organizations are now beginning to recognize the broad nature of the threat,” says Richard Watson, EY’s Asia-Pacific cybersecurity head. “One thing that has changed for the better over the past 12 months, partly because of some of those big cyberattacks we’ve seen at a global level, is a growing realization that security is also about maintaining the continuity of business operations — and not only about the security of data and privacy.”

No Room for Russian Roulette
Given this reality, it’s jaw-dropping that many organizations seem to think they shouldn’t beef up their cybersecurity practices or dedicate more money to IT unless they’re hit by a major security incident.

For 63% of organizations, a security breach that results in no harm wouldn’t lead to higher spending (although, typically, seemingly innocuous breaches can cause harm that doesn’t manifest until later). Still, many organizations are unclear about whether they’re successfully identifying breaches and incidents.

These firms are playing with fire. As noted in the EY report, the Ponemon Institute estimates the average cost of a security breach to be $3.62 million per incident.

Tackling Corporate Governance
A mere 18% of organizations say that information security has a regular bearing on business strategic plans, a finding that reveals a basic disconnect between cybersecurity and the C-suite. Over half of the EY survey respondents say that information security only somewhat or does not influence their business strategy.

Today, when the digital age and cybercrime is in full bloom, this is somewhere between unwise and unacceptable. In fact, cybersecurity and business strategy must go hand-in-hand and be a continuing agenda item for all executive and non-executive boards, as many of board decisions will influence how well the organization is positioned to deal with a prospective cyberattack.

That said, increasingly, the ultimate responsibility for information security lies with the people at the top levels of the company. For 40% of organizations, the CIO assumes this responsibility. However, in 60% of organizations, the person directly responsible for information security does not sit on the board.

Some 70% of organizations report that their senior leaders have a thorough grasp of security or are taking positive steps to better their knowledge of it. Without question, this trend will increase as security becomes a key driver of growth. Right now, smaller organizations are better at keeping their board informed about information security matters than larger organizations. That said, larger organizations have made more progress: 73% have at least a limited understanding of information security, compared with 68% of their smaller counterparts.

Swinging in the Dark
Less than one in 10 organizations says its information security function fully meets its needs, and many are concerned that much-needed improvements are not yet underway. Seventy-eight percent of larger organizations say their information security function is at least partially meeting their needs, but that number drops to just 65% among their smaller counterparts.

Overall, 92% of organizations are concerned about their information security capabilities in certain important areas. For instance, resources: 30% of organizations are grappling with skills shortages, while 25% report that their budgets are constrained. Smaller firms are particularly worried; 28% of them say their information security function does not currently meet their needs or must be improved. Just over half (56%) report skills shortages or budget constraints.

A paltry 15% of firms say their information security reporting fully meets their expectations. Among those that suffered an incident in the past year, less than a third say their security team discovered the breach. Smaller companies will need to move particularly quickly to address the security reporting issue: almost a quarter (23%) don’t produce information security reports, in contrast with 16% of larger organizations. Only 5% describe the financial implications of each breach.

Addressing the Skills Challenge
Although the right personnel are critical to solving information security challenges, recruiting said personnel is easier said than done. The ongoing and global IT security skills shortage won’t go away anytime soon. Estimates project a worldwide shortfall of about 1.8 million security professionals by 2024 — some studies even predict as much as 3.5 million cyber vacancies. At least the shortfall is democratic: Everyone across the board is running into trouble finding the expertise they need, even in the most well-resourced sectors. Take financial services. “The best graduates no longer want to work in the industry, which is hampering efforts to recruit across the sector,” says Jeremy Pizzala, EY Global Financial Services cybersecurity leader.

The upshot is that depending on an in-house team to deal with IT security is probably an exercise in futility. Today, firms must think laterally and place much more emphasis on machine learning, automation, and AI to either replace or complement external service providers.

Source: https://www.darkreading.com/risk/most-organizations-lack-cyber-resilience/a/d-id/1335149

Cloudflare, the backbone of many of the web’s biggest sites, experienced a global outage that left many wondering what could have happened.

The fragility of the internet was exposed yesterday (2 July) when users across the world came across many websites displaying the error message ‘502 Bad Gateway’. Shortly after, social media was flooded with questions as to what caused such an outage across seemingly unconnected sites.

Soon after, Cloudflare, a content delivery and DDoS protection provider, said an error on its part was behind the massive outage. A quick look at the company’s systems status page showed that almost every major city in the world was affected in some way, including Dublin.

23 minutes after Cloudflare confirmed that it was experiencing issues, it announced that it had “implemented a fix”. 35 minutes later, it revealed the cause of the outage.

“We saw a massive spike in CPU that caused primary and secondary systems to fall over,” a statement said. “We shut down the process that was causing the CPU spike. Service restored to normal within ~30 minutes.”

Soon after, it announced that normal operations had resumed. So what could have caused such a major outage so soon after another one that occurred on 24 June?

Testing processes were ‘insufficient in this case’

In a blogpost, Cloudflare CTO John Graham-Cumming was able to reveal that the CPU spike was the result of “bad software deploy that was rolled back”. He stressed that this was not the result of a well-crafted DDoS attack.

“The cause of this outage was deployment of a single misconfigured rule within the Cloudflare Web Application Firewall (WAF) during a routine deployment of new Cloudflare WAF managed rules,” Graham-Cumming said.

“We make software deployments constantly across the network and have automated systems to run test suites, and a procedure for deploying progressively to prevent incidents. Unfortunately, these WAF rules were deployed globally in one go and caused today’s outage.”

He went on to admit that such an outage was “very painful” for customers and that the company’s testing processes were “insufficient in this case”.

This outage was different to the one that occurred on 24 June, which Cloudflare described as the internet having “a small heart attack”. It was revealed that network provider Verizon directed a significant portion of the internet’s traffic to a small company in the US state of Pennsylvania, resulting in a major information pile-up.

Source: https://www.siliconrepublic.com/enterprise/cloudflare-outage-502-bad-gateway-explained