Happy Dyn Attack Anniversary!

Oh… there goes Route 53 while Fancy Bear awakes from their hibernation.

Exactly three years after the attack on Dyn–one of the largest attacks in DDoS history–AWS was severely impacted by a DDoS attack on its S3 and Route 53 DNS infrastructure causing outages across the globe.

Meanwhile, a group posing as Fancy Bear is spreading Ransom Denial of Service (RDoS) letters in the finance vertical and following through on their threats. The DDoS attacks already affected South African ISPs, leaving subscribers in Cape Town and Johannesburg with intermittent connectivity issues.

Unrelated to the DDoS campaigns (we assume), the City of Johannesburg fell victim to a cyber attack, which led to its information systems being compromised. The city’s employees received a ransom note from a group called ‘Shadow Kill Hackers’ demanding 4 bitcoin (about $40,000 USD at today’s rate) and claiming control of all of the city’s servers and data, having compromised all passwords and sensitive data. As a precautionary measure, customer-facing systems, including the city’s website, e-services and billing systems, were shut down during the investigation.

Global RDoS Campaign Targeting Financial Sector

Last week, our threat research and Emergency Response Team started receiving notices from customers about RDoS letters from a group posing as ‘Fancy Bear’ demanding 2 bitcoin ($20,000 USD). If demands were not met, the group followed through with actual multi-vector flood attacks leveraging different amplification and reflection protocols including SSDP, NTP, DNS, CLDAP, and the more recently uncovered ARMS and WSD attacks.

[You may also like: More Destructive Botnets and Attack Vectors Are on Their Way]

Coincidence or not, around the same time in 2017, a group identifying itself as Fancy Bear sent very similar extortion letters in a RDoS campaign, demanding between 1-2 bitcoins with the ransom increasing by one bitcoin every day it was not met. Yesterday, we got evidence of new letters emerging from Taiwan, this time from a group posing as Cozy Bear.

Cozy Bear (APT29) is not believed to be the same group as Fancy Bear (APT28), but our best guess would be that any Bear or APT is fit to instill fear into its victims. The letter from Cozy Bear is identical, word for word, to the Fancy Bear RDoS letter except for ‘Fancy’ being replaced by ‘Cozy’. The ransom amount was also set at 2 bitcoin.

The RDoS campaign is still ongoing and is targeting financial institutions around the globe. As of this writing, we have letters from Singapore, South Africa, Scandinavia, Brazil and Taiwan. The ransom letters are sent as email message to several contacts within the targeted company and originate from different email aliases using distinct email providers and domain names. The messages do not seem to be random and the attackers have done their homework on the targets to identify those servers that could impact day-to-day business.

These are not hoaxes and most have already been followed by actual DDoS attacks. Needless to say, hoaxes are very likely this time of year; bottom feeders are happy to take the next wave following real campaigns, be warned!

[You may also like: What to Do When You Are Under DDoS Attack]

Whatever the origin or group behind RDoS letters, we advise organizations not to pay and to immediately seek professional assistance in mitigating potential follow through attacks. Paying the extortionists makes them stronger and provides them with more funds and, not in the least, you are painting a target for yourself as someone that pays on first ransom request…guess who will be in the distribution list for next year’s campaign?

The Effect of Take Downs

Recently, my colleague Daniel Smith wrote about the effect of take downs on the overall DDoS threat landscape. The most notable DDoS-for-Hire platforms (Webstresser.org, Defcon.pro, Str3ssed.me, Bullstresser.net and downthem.org) were taken down and a large-scale raid on bulletproof service provider Cyberbunker 2.0 earlier this year put them out of business.

Take downs do have an immediate effect and will spook smaller criminals, making them more hesitant to actually take action. But there are still enough bold opportunists and criminals on the horizon that are happy to fill a void left by those that were taken down. There is fresh market share that comes available again to gain.

This and last week’s surge of attacks is a powerful reminder that there is a vast underground that thrives and grows on the digitization of our economy, and demonstrate no signs of slowing down any time soon.

Download “Hackers Almanac” to learn more.

Download Now

Pascal Geenens

As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center