FBI warns of global DDoS extortion campaign.
New Zealand’s NZX stock exchange has continued to sustain distributed denial-of-service (DDoS) attacks, Reuters reports, but has resumed trading after arriving with the Financial Markets Authority at an alternative way of releasing market announcements. According to Reseller News, NZX has brought in Akamai to help mitigate the effects of further DDoS attacks. NZX's Chief Executive Mark Peterson is quoted by Reuters as saying, "NZX has been advised by independent cyber specialists that the attacks last week are among the largest, most well-resourced and sophisticated they have ever seen in New Zealand."
ZDNet says the attack against NZX is connected to a wave of extortionist DDoS attacks being tracked by Akamai and Radware. These attacks are targeting the finance, travel, and e-commerce sectors. The cybercriminals send ransom notes purporting to be from well-known APTs such as Fancy Bear, Cozy Bear, and the Lazarus Group (the criminals don't appear to have any actual connection to a nation-state operator). The ransom demands vary, but Radware says most start at ten bitcoin (approximately $113,000) and then increase by an additional ten bitcoin for each missed deadline. Radware's advisory states, "In many cases the ransom threat Is followed by cyberattacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods."
ZDNet also reports that a wave of DDoS attacks targeting the DNS infrastructure of numerous European Internet service providers this week. It's not clear if these attacks are connected to the extortionist campaign, but the publication observes that "the DDoS attacks against financial services subsided right as the attacks against European ISPs got underway." Radware also took note of these attacks in its advisory, but likewise concluded that there's currently no evidence of a link between the two campaigns.
The FBI issued a flash alert concerning the DDoS extortion campaign to US companies last week, saying that thousands of organizations around the world have received ransom notes threatening imminent attacks, according to BleepingComputer. The Bureau advises companies not to pay the ransom, in order to avoid encouraging and funding future attacks. Akamai and Radware echo this advice, with Radware pointing out that paying the ransom also marks the victim organization "as one that is willing to pay under threat."
The Cyber Wire