Happy Dyn Attack Anniversary!
Oh… there goes Route 53 while Fancy Bear awakes from their hibernation.
Exactly three years after the attack on Dyn–one of the largest attacks in DDoS history–AWS was severely impacted by a DDoS attack on its S3 and Route 53 DNS infrastructure causing outages across the globe.
Meanwhile, a group posing as Fancy Bear is spreading Ransom Denial of Service (RDoS) letters in the finance vertical and following through on their threats. The DDoS attacks already affected South African ISPs, leaving subscribers in Cape Town and Johannesburg with intermittent connectivity issues.
Unrelated to the DDoS campaigns (we assume), the City of Johannesburg fell victim to a cyber attack, which led to its information systems being compromised. The city’s employees received a ransom note from a group called ‘Shadow Kill Hackers’ demanding 4 bitcoin (about $40,000 USD at today’s rate) and claiming control of all of the city’s servers and data, having compromised all passwords and sensitive data. As a precautionary measure, customer-facing systems, including the city’s website, e-services and billing systems, were shut down during the investigation.
Global RDoS Campaign Targeting Financial Sector
Last week, our threat research and Emergency Response Team started receiving notices from customers about RDoS letters from a group posing as ‘Fancy Bear’ demanding 2 bitcoin ($20,000 USD). If demands were not met, the group followed through with actual multi-vector flood attacks leveraging different amplification and reflection protocols including SSDP, NTP, DNS, CLDAP, and the more recently uncovered ARMS and WSD attacks.
[You may also like: More Destructive Botnets and Attack Vectors Are on Their Way]
Coincidence or not, around the same time in 2017, a group identifying itself as Fancy Bear sent very similar extortion letters in a RDoS campaign, demanding between 1-2 bitcoins with the ransom increasing by one bitcoin every day it was not met. Yesterday, we got evidence of new letters emerging from Taiwan, this time from a group posing as Cozy Bear.
Cozy Bear (APT29) is not believed to be the same group as Fancy Bear (APT28), but our best guess would be that any Bear or APT is fit to instill fear into its victims. The letter from Cozy Bear is identical, word for word, to the Fancy Bear RDoS letter except for ‘Fancy’ being replaced by ‘Cozy’. The ransom amount was also set at 2 bitcoin.
The RDoS campaign is still ongoing and is targeting financial institutions around the globe. As of this writing, we have letters from Singapore, South Africa, Scandinavia, Brazil and Taiwan. The ransom letters are sent as email message to several contacts within the targeted company and originate from different email aliases using distinct email providers and domain names. The messages do not seem to be random and the attackers have done their homework on the targets to identify those servers that could impact day-to-day business.
These are not hoaxes and most have already been followed by actual DDoS attacks. Needless to say, hoaxes are very likely this time of year; bottom feeders are happy to take the next wave following real campaigns, be warned!
[You may also like: What to Do When You Are Under DDoS Attack]
Whatever the origin or group behind RDoS letters, we advise organizations not to pay and to immediately seek professional assistance in mitigating potential follow through attacks. Paying the extortionists makes them stronger and provides them with more funds and, not in the least, you are painting a target for yourself as someone that pays on first ransom request…guess who will be in the distribution list for next year’s campaign?
The Effect of Take Downs
Recently, my colleague Daniel Smith wrote about the effect of take downs on the overall DDoS threat landscape. The most notable DDoS-for-Hire platforms (Webstresser.org, Defcon.pro, Str3ssed.me, Bullstresser.net and downthem.org) were taken down and a large-scale raid on bulletproof service provider Cyberbunker 2.0 earlier this year put them out of business.
Take downs do have an immediate effect and will spook smaller criminals, making them more hesitant to actually take action. But there are still enough bold opportunists and criminals on the horizon that are happy to fill a void left by those that were taken down. There is fresh market share that comes available again to gain.
This and last week’s surge of attacks is a powerful reminder that there is a vast underground that thrives and grows on the digitization of our economy, and demonstrate no signs of slowing down any time soon.