Insult added to injury as DDOS extortion attacker impersonates well-known threat actors
Extortion and robbery while wearing a disguise are not new crimes in human history, but a threat actor has recently taken this into the online arena on the global stage, using distributed denial of service (DDOS) as the weapon, while pretending to be someone else.
This is as reported in a recent threat advisory released by NETSCOUT’s ASERT division (ATLAS Security Engineering & Response Team), which is tasked with providing threat intelligence trends and research.
Risna Steenkamp, General Manager: ESM at value-added distributor Networks Unlimited Africa, says: “We have seen DDOS ransom attacks before – for example, in October last year, South African banks were hit by a wave of ransom-driven DDOS attacks, as were other targets in other countries around the same time. However, with these current attacks, it is interesting to note that the attackers are actually taking on the guise of well-known threat actors to try and increase the fear factor of the attack.”
Starting in mid-August 2020, a relatively prolific threat actor had initiated a global campaign of DDOS extortion attacks that were mainly directed towards regional financial and travel industry targets, such as banks, stock exchanges, travel agencies and currency exchanges. In some cases, their Internet transit providers were also targeted. In addition, the attacker took on the fake identity of other, well-known threat actors by posing as such well-known hacker groups as Fancy Bear, Cozy Bear, the Lazarus Group or the Armada Collective.
The ASERT advisory noted that the modus operandi of the attacks was as follows: the attacker first initiated a demonstration DDOS attack against selected elements of the targeted organisation’s online services/application delivery infrastructure, followed by an e-mailed extortion demand for payment via Bitcoin crypto-currency. The extortion demands typically stated that the attacker had up to 2tb/sec of DDOS attack capacity at the ready, and threatened follow-up attacks if the extortion payments weren’t transmitted within a set period of time.
In some instances, when the extortion demands were not met, the threatened follow-up attacks did not occur and the attacker moved on to another target, while in other cases, the assailant persisted in striking the targeted organisation, including its upstream transit provider/s.
Steenkamp explains: “These attacks followed in rapid succession on the heels of an almost week long attack on New Zealand’s NZX Stock Exchange at the end of August, during which time it was plagued by DDOS attacks which forced it to stop trading for four out of five days. The Federal Bureau of Investigation (FBI) in the US has issued an alert around ‘ransom distributed denial of service (RDDOS) attacks’, warning that cyber criminals are targeting organisations from the retail, financial, travel and e-commerce industry verticals.”
As regards the current RDDOS attacks, ASERT observes the following points: "Both the selection of targeted assets as well as the recipients chosen to receive the attacker’s extortion demands are indicative of pre-attack reconnaissance on the part of the threat actor. In multiple instances, critical, yet non-obvious public-facing applications and services, were targeted by the attacker… it appears that the threat actor in question has exercised significant due diligence in identifying e-mail mailboxes which are likely to be actively monitored by targeted organisations."
The advisory also adds: "During extended attacks which include targeting of an organisation’s upstream transit ISP(s), the attacker has apparently made use of basic network diagnostic techniques such as running multiple trace routes in an attempt to identify routers and/or layer-3 switches within the transit ISP network; these network infrastructure devices are subsequently targeted by the attacker."
“This all points to the fact that this new cyber security threat is not to be taken lightly – brains are being applied here, in a cause that is not for the greater good,” says Steenkamp.
“On the upside, and as the advisory outlines, those targeted organisations which had prepared adequately in advance to defend their public-facing Internet properties and related infrastructure were in the happy position of experiencing little or no significant negative effect related to this DDOS extortion campaign. As ever, NETSCOUT provides the industry’s most comprehensive suite of intelligently automated DDOS attack protection products for any enterprise environment.”
You can read the ASERT Threat Advisory: “ Q3 CY2020 High-Profile DDoS Extortion Attacks” in full here, and for more information on NETSCOUT, please contact Janco Taljaard at firstname.lastname@example.org.