It wasn’t the Russians (this time)

Fancy Bear is a Russian APT group best known for their hack of the Democratic National Committee during the 2016 election. A new group has recently been impersonating them and appear to own a large botnet which they are using to perform distributed denial of service (DDoS) attacks against financial institutions and ISPs located mainly in South Africa, Singapore and Scandinavian countries (https://www.zdnet.com/article/a-ddos-gang-is-extorting-businesses-posing-as-russian-government-hackers/). Botnets are commonly used to perform distributed denial of service (DDoS) attacks whereby each bot sends hundreds of thousands of packets directed to a machine, flooding the bandwidth or resources of it. This group, however, is asking for payment of 2 bitcoins in order to stop their attacks but Fancy Bear is not known to perform DDoS extortion attacks like this.

The attacks seem to have been planned carefully as they are targeted at backend servers that aren’t usually protected by DDoS mitigation systems. Also unusual about these attacks is that second- and third-stage attacks are launched using methods that are bypassing the defending institutions initial counter-measures. The types of protocols being used to send the DDoS traffic are DNS, NTP, CLDAP, ARMS, and WS-Discovery.

In such an attack, termed an amplification attack, this works by using a Network Time Protocol (NTP) server, for example, as a reflector and amplifier for network packets. The attacker sends specially crafted NTP packets requesting some information from an NTP server, but spoofs the source IP address to be the address of the victim. This will result in the NTP server sending the response packets, which are larger in size in comparison to the requests, to the victim’s machine flooding its bandwidth and rendering it and its surrounding infrastructure inaccessible to regular traffic. Each protocol can provide a different level of traffic amplification with one of the largest amplification magnitudes coming via a memcached DDoS attack (https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/) which was around 1.3 terabytes per second (TBps) or higher, however, this was not used in the recent attacks.

DNS and NTP have been popular methods of DDoS amplification attacks for many years now although new protocols are constantly being abused to conduct these types of attacks. At the end of September, a 35 gigabit per second DDoS was observed using the Web Services Dynamic Discovery (WS-Discovery) protocol to amplify traffic (https://www.wired.com/story/ddos-attack-ws-discovery/), which is a relatively new technique. Earlier in October (https://www.zdnet.com/article/macos-systems-abused-in-ddos-attacks/), macOS systems that exposed a specific port online, when Apple Remote Desktop is enabled, were used as amplifiers and reflectors for ARMS DDoS amplification attacks.

At the time of writing, we have identified three bitcoin addresses potentially linked to the attacks and they all have zero transactions so far.

  • Share