DDoS Archive

Warning of acute ransom DDoS attacks against companies across Europe and North America on behalf of Fancy Lazarus

The Link11 Security Operations Center (LSOC) has recently observed a sharp increase in ransom distributed denial of service (RDDoS or RDoS) attacks. Enterprises from a wide range of business sectors are receiving extortion e-mails from the sender Fancy Lazarus demanding 2 Bitcoins (approx. 66,000 euros): “It’s a small price for what will happen when your whole network goes down. Is it worth it? You decide!”, the extortionists argue in their e-mail. So far, LSOC has received reports of RDoS attacks from several European countries, such as Germany and Austria, and the USA and Canada.

How the DDoS extortionists operate

The perpetrators gather information about the company’s IT infrastructure in advance and provide clear details in the extortion e-mail about which servers and IT elements they will target for the warning attacks. To exert pressure, the attackers rely on demo attacks, some of which last several hours and are characterized by high volumes of up to 200 Gbps. To achieve these attack bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the contacted company is threatened with massive high-volume attacks of up to 2 Tbsp. The organization has 7 days to transfer the Bitcoins to a specific Bitcoin wallet. The e-mail also states that the ransom would increase to 4 Bitcoin with the passing of the payment deadline and increase by another Bitcoin with each additional day. Sometimes, the announced attacks fail to materialize after the expiration of the ultimatum. In other cases, DDoS attacks cause considerable disruption to the targeted companies.

Suspected perpetrators already made headlines worldwide

The perpetrators are no unknowns. In the fall of 2020, payment providers, financial service providers, and banking institutions worldwide were blackmailed with an identical extortion target and hit with RDoS attacks. Hosting providers, e-commerce providers, and logistics companies were also the focus of the blackmailers, showing they target businesses indiscriminately. They also operated under the names Lazarus Group and Fancy Bear or posed as Armada Collective. The perpetrators are even credited with the New Zealand stock exchange outages at the End of August 2020, which lasted several days.

The new wave of extortion hits many companies when a large part of the staff is still organized via remote working and depends on undisrupted access to the corporate network.

Marc Wilczek, Managing Director of Link11: “The rapid digitization that many companies have gone through in the past pandemic months is often not yet 100% secured against attacks. The surfaces for cyber attacks have risen sharply, and IT has not been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision.”

What to do in the event of DDoS extortion

As soon as they receive an extortion e-mail, companies should proactively activate their DDoS protection systems and not respond to the extortion under any circumstances. If the protection solution is not designed to scale to volume attacks of several hundred Gbps and beyond, it is important to find out how company-specific protection bandwidth can be increased in the short term and guaranteed with an SLA. If necessary, this should also be implemented via emergency integration.


LSOC’s observation of the perpetrators over several months has shown: Companies that use professional and comprehensive DDoS protection can significantly reduce their downtime risks. As soon as the attackers realize their attacks are going nowhere, they stop them and let nothing more be heard of them.

LSOC advises attacked companies to file a report with law enforcement authorities. The National Cyber Security Centers are the best place to turn.

Source: https://www.link11.com/en/blog/threat-landscape/new-wave-ddos-extortion-campaigns-fancy-lazarus/

Several recent cyber incidents targeting critical infrastructure prove that no open society is immune to attacks by cybercriminals. The recent shutdown of key US energy pipeline marks just the tip of the iceberg.

Critical infrastructure is becoming more dependent on networks of interconnected devices. For example, only a few decades ago, power grids were essentially operational silos. Today, most grids are closely interlinked — regionally, nationally, and internationally as well as with other industrial sectors. And in contrast to discrete cyberattacks on individual companies, a targeted disruption of critical infrastructure can result in extended supply shortages, power blackouts, public disorder, and other serious consequences.

According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks “the new normal across sectors such as energy, healthcare, and transportation.” Another report noted that such attacks can have major spillover effects. Lloyd’s and the University of Cambridge’s Centre for Risk Studies calculated the prospective economic and insurance costs of a severe cyberattack against America’s electricity system could amount to more than $240 billion and possibly more than $1 trillion.

Given these potential far-reaching consequences, cyberattacks on critical infrastructure have become a big concern for industry and governments everywhere — and recent events haven’t done much to allay these fears.

A Worldwide Phenomenon
In May 2021, a huge distributed denial-of-service (DDoS) attack crippled large sections of Belgium’s Internet services, affecting more than 200 organizations, including government, universities, and research institutes. Even parliamentary debates and committee meetings were stalled since no one could access the online services they needed to participate.

A few days later, a ransomware attack shut down the main pipeline carrying gasoline and diesel fuel to the US East Coast. The Colonial Pipeline is America’s largest refined-products pipeline. The company says it transports more than 100 million gallons a day of fossil fuels, including gasoline, diesel, jet fuel, and heating oil — or almost half the supply on the East Coast, including supplies for US military facilities.

In August 2020, the New Zealand Stock Exchange (NZX) was taken offline for four trading days after an unprecedented volumetric DDoS attack launched through its network service provider. New Zealand’s government summoned its national cybersecurity services to investigate, and cyber experts suggested the attacks might have been a dry run of a major attack on other global stock exchanges.

In October 2020, Australia’s Minister for Home Affairs, Peter Dutton, said his country must be ready to fight back against disastrous and extended cyberattacks on critical infrastructure that could upend whole industries.

Obvious Uptick in DDoS Attacks
During the pandemic, there’s been a huge increase in DDoS attacks, brute-forcing of access credentials, and malware targeting Internet-connected devices. The average cost of DDoS bots has dropped and will probably continue to fall. According to Link11’s Q1/2021 DDoS report, the number of attacks witnessed more than doubled, growing 2.3-fold year-over-year. (Disclosure: I’m the COO of Link11.)

Unlike ransomware, which must penetrate IT systems before it can wreak havoc, DDoS attacks appeal to cybercriminals because they’re a more convenient IT weapon since they don’t have to get around multiple security layers to produce the desired ill effects.

The FBI has warned that more DDoS attacks are employing amplification techniques to target US organizations after noting a surge in attack attempts after February 2020. The warnings came after other reports of high-profile DDoS attacks. In February, for example, the largest known DDoS attack was aimed at Amazon Web Services. The company’s infrastructure was slammed with a jaw-dropping 2.3 Tb/s — or 20.6 million requests per second — assault, Amazon reported. The US Cybersecurity and Infrastructure Security Agency (CISA) also acknowledged the global threat of DDoS attacks.

Similarly, in November, New Zealand cybersecurity organization CertNZ issued an alert about emails sent to financial firms that threatened a DDoS attack unless a ransom was paid.

Predominantly, cybercriminals are just after money. The threat actors behind the most recent and ongoing ransom DDoS (RDDoS or RDoS) campaign identify themselves as state-backed groups Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective — although it remains unclear whether that’s just been a masquerade to reinforce the hacker’s demands. The demanded ransoms ranged between 10 and 20 Bitcoin (roughly worth $100,000 to $225,000 at the time of the attacks), to be paid to different Bitcoin addresses.

Mitigating the Risk
Critical infrastructure is often more vulnerable to cyberattacks than other sectors. Paying a ransom has ethical implications, will directly aid the hackers’ future operations (as noted by the FBI), and will encourage them to hunt other potential victims. Targeted companies are also urged to report any RDoS attacks affecting them to law enforcement.

Organizations can’t avoid being targeted by denial-of-service attacks, but it’s possible to prepare for and potentially reduce the impact should an attack occur. The Australian Cyber Security Centre notes that “preparing for denial-of-service attacks before they occur is by far the best strategy; it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.”

However, as the architecture of IT infrastructure evolves, it’s getting harder to implement effective local mitigation strategies. Case in point: Network perimeters continue to be weak points because of the increasing use of cloud computing services and devices used for remote work. Also, it is increasingly infeasible to backhaul network traffic, as legitimate users will be banned, too — potentially for hours or days. To minimize the risk of disruption and aim for faster recovery time objectives (RTOs) after an attack, organizations should become more resilient by eliminating human error through stringent automation. These days, solutions based on artificial intelligence and machine learning offer the only viable means of protection against cyberattacks.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Source: https://www.darkreading.com/attacks-breaches/critical-infrastructure-under-attack-/a/d-id/1340960

Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products.

OpenSSL is a commonly used software library for building networking applications and servers that need to establish secure communications.

These flaws include:

  • CVE-2021-3449: A Denial of Service (DoS) flaw due to NULL pointer dereferencing which only impacts OpenSSL server instances, not the clients.
  • CVE-2021-3450: An improper Certificate Authority (CA) certificate validation vulnerability which impacts both the server and client instances.

DoS vulnerability fixed by a one-liner

The DoS vulnerability (CVE-2021-3449) in OpenSSL TLS server can cause the server to crash if during the course of renegotiation the client sends a malicious ClientHello message.

“If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” states the advisory.

The vulnerability only impacts OpenSSL servers running versions between 1.1.1 and 1.1.1j (both inclusive) that have both TLSv1.2 and renegotiation enabled.

However, because this is the default configuration on these OpenSSL server versions, many of the active servers could be potentially vulnerable. OpenSSL clients are not impacted.

Fortunately, all it took to fix this DoS bug was a one-liner fix, which comprised setting the peer_sigalgslen to zero.

One line fix for CVE-2021-3449
One line fix for NULL pointer issue leading to DoS, CVE-2021-3449
Source: GitHub

The vulnerability was discovered by engineers Peter Kästle and Samuel Sapalski of Nokia, who also offered the fix shown above.

Non-CA certificates cannot issue certificates!

The Certificate Authority (CA) certificate validation bypass vulnerability, CVE-2021-3450, has to do with the X509_V_FLAG_X509_STRICT flag.

This flag is used by OpenSSL to disallow use of workarounds for broken certificates and strictly requires that certificates be verified against X509 rules.

However, due to a regression bug, OpenSSL versions 1.1.1h and above (but excluding the fixed release 1.1.1k) are impacted by this vulnerability, as this flag is not set by default in these versions.

“Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.”

“An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten,” states the advisory.

In effect, this means OpenSSL instances fail to check that non-CA certificates must not be the issuers of other certificates, therefore opening up the possibilities for attackers to exploit this miss.

On March 18th, 2021, Benjamin Kaduk from Akamai reported this flaw to the OpenSSL project.

The vulnerability was discovered by Xiang Ding and others at Akamai, with a fix having been developed by Tomáš Mráz.

Neither vulnerabilities impact OpenSSL 1.0.2.

Both vulnerabilites are fixed in OpenSSL 1.1.1k and users are advised to upgrade to this version to protect their instances.

As reported by BleepingComputer, DHS-CISA had urged system administrators in December 2020 to patch another OpenSSL DoS vulnerability.

Users should therefore protect themselves from security flaws like these by applying timely updates.


Source: https://www.bleepingcomputer.com/news/security/openssl-fixes-severe-dos-certificate-validation-vulnerabilities/

Reports say a ransomware gang has given Acer until March 28 to pay, or it will double the ransom amount.

 The REvil/Sodinokibi ransomware group has reportedly targeted computer manufacturer Acer with a $50 million ransomware attack — and its ransom demand may grow, investigators say.
News of the double-extortion ransomware campaign surfaced late last week, when attackers claimed on their data leak website to have breached Acer, Bleeping Computer reported. At the time, attackers published some reportedly stolen files as evidence of a successful intrusion. The documents included bank balances, financial spreadsheets, and financial communications.

Further investigation by LeMagIT and SearchSecurity revealed a ransom demand of $50 million. The former reports that attackers offered Acer a 20% discount on their initial ransom demand if it was paid by March 17, and the company reportedly offered $10 million. As of March 22, the attackers have given Acer a new payment deadline of March 28 or they’ll double the demand.

When contacted for a comment on the attack, Acer responded with the following statement to ComputerWeekly: “Acer routinely monitors its IT systems, and most cyber attacks are well defenced. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

REvil is known for its high ransomware demands, notes Ivan Righi, cyber-threat intelligence analyst at Digital Shadows, though it’s unknown if any previous victims have paid up in full.

“The large demand suggests that REvil likely exfiltrated information that is highly confidential, or information that could be used to launch cyberattacks on Acer’s customers,” he says.

Source: https://www.darkreading.com/attacks-breaches/acer-reportedly-hit-with-$50m-ransomware-attack/d/d-id/1340481

REvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across the world from various sectors.

They are driven by profit and want to make $2 billion from their ransomware service, adopting the most lucrative trends in their pursuit of wealth.

Affiliates do the heavy lifting

A REvil representative that uses the aliases “UNKN” and “Unknown” on cybercriminal forums talked to tech blog

Russian OSINT offering some details about the group’s activity and hints of what they have in store for the future.

Like almost all ransomware gangs today, REvil runs a ransomware-as-a-service (RaaS) operation. Per this model, developers supply file-encrypting malware to affiliates, who earn the lion’s share from the money extorted from victims.

With REvil, the developers take 20-30% and the rest of the paid ransom goes to affiliates, who run the attacks, steal data, and detonate the ransomware on corporate networks.

“Most work is done by distributors and ransomware is just a tool, so they think that’s a fair split,” REvil representative, Unknown, told Russian OSINT.

This means that the developers set the ransom amount, run the negotiations, and collect the money that is later split with affiliates.

Long list of victims

The cybercriminal operation has encrypted computers at big-name companies, among them Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, and GEDIA Automotive Group.

Unknown says that REvil affiliates were able to breach the networks of Travelex and GSMLaw in just three minutes by exploiting a vulnerability in Pulse Secure VPN left unpatched for months after the fix became available [1, 2].

source: Bad Packets

REvil’s public-facing representative says that the syndicate has hit the network of a “major gaming company” and will soon announce the attack.

They also say that REvil was responsible for the attack in September against Chile’s public bank, BancoEstado. The incident prompted the bank to close all its branches for a day but did not affect online banking, apps, and ATMs.

Along with managed services providers (MSPs) that have access to networks of multiple organizations, the most profitable targets for REvil are companies in the insurance, legal, and agriculture sectors.

As for initial access, Unknown mentioned brute-force attacks as well as remote desktop protocol (RDP) combined with new vulnerabilities.

One example are vulnerabilities tracked as CVE-2020-0609 and CVE-2020-0610 bugs and known as BlueGate. These allow remote code execution on systems running Windows Server (2012, 2012 R2, 2016, and 2019).

New money-making avenues

REvil initially made its profit from victims paying the ransom to unlock encrypted files. Since the attackers also locked backup servers, victims had few options to recover, and paying was the quickest way.

The ransomware business changed last year when operators saw an opportunity in stealing data from breached networks and started to threaten victims with damaging leaks that could have a much worse impact on the company.

Even if it takes longer and causes a significant setback, large businesses can recover encrypted files from offline backups. Having sensitive data in the public space or sold to interested parties, though, can be synonymous with losing the competitive advantage and reputation damage that is difficult to rebuild.

This method proved to be so lucrative that REvil now makes more money from not publishing stolen data than from decryption ransom.

Unknown says that one in three victims are currently willing to pay the ransom to prevent the leaking of company data. This could be the next step in the ransomware business.

REvil is also thinking to adopt another tactic designed to increase their odds of getting paid: hitting the victim with distributed denial-of-service (DDoS) attacks to force them to at least (re)start negotiating a payment.

SunCrypt ransomware used this tactic recently on a company that had stopped negotiations. The attackers made it clear that they launched the DDoS attack and terminated it when negotiations resumed. REvil plans to implement this idea.

REvil’s model for making money is working and the gang already has plenty in their coffers. In their search for new affiliates, they deposited $1 million in bitcoins on a Russian-speaking forum.

The move was designed to show that their operation generates plenty of profit. According to Unknown, this step is to recruit new blood to distribute the malware, as the ransomware scene is full to the brim with professional cybercriminals.

Although they have truckloads of money, REvil developers are confined to the borders of the Commonwealth of Independent States (CIS, countries in the former Soviet Union) region.

A reason for this is attacking a large number of high-profile victims that prompted investigations from law enforcement agencies from all over the world. As such, traveling is a risk REvil developers are not willing to take.

REvil built on older code

This ransomware syndicate is also referred to as Sodin or Sodinokibi but the name REvil is inspired by the Resident Evil movie and stands for Ransomware Evil.

Their malware was first spotted in April 2019 and the group started looking for skilled hackers (elite penetration testers) shortly after GandCrab ransomware closed shop.

Unknown says that the group did not create the file-encrypting malware from scratch but bought the source code and developed on top of it to make it more effective.

It uses elliptic curve cryptography (ECC) that has a smaller key size than the RSA-based public-key system, with no compromise on security. Unknown says that this is one reason affiliates choose REvil over other RaaS operations like Maze or LockBit.

Before shutting their business, GandCrab developers said they made $150 million, while the entire operation collected more than $2 billion in ransom payments.

Clearly, REvil developer’s ambitions are greater.

BleepingComputer was told that Unknown confirmed that the interview (in Russian) was real.

Source: https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/