Attacks/Breaches
5/14/2013
12:56 PM
50%
50%

FBI Briefs Bank Executives On DDoS Attack Campaign

FBI expedited security clearances so it could share classified info on Operation Ababil, a distributed denial of service attack that continues to disrupt U.S. financial websites.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The FBI recently granted one-day clearances to security officers and executives at numerous banks so it could share classified intelligence on the Operation Ababil campaign that's been disrupting U.S. financial websites for almost a year.

The videoconference briefings detailed "who was behind the keyboards" of the attacks, FBI executive assistant director Richard McFeely told the Reuters Cybersecurity Summit Monday, reported Reuters. McFeely is in charge of the bureau's criminal and cyber investigations.

The Operation Ababil distributed-denial-of-service (DDoS) attacks, which typically target a handful of the country's top banks every week, have disrupted the websites of such financial institutions as Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. The attacks have resulted in customers sometimes being unable to access online or mobile banking services.

[ What's happening when bank sites go down? Read Bank Hacks: 7 Misunderstood Facts. ]

Banks targeted as part of Operation Ababil have been frustrated by the lack of arrests or apparent progress in the case, McFeely said. But he said that some indictments -- currently under seal -- have been issued for suspects' arrest. Suggesting that the suspects are operating in countries that have no extradition treaty with the United States, he said that the hackers might be caught when they travel to other countries. "The first time we bring someone in from out of the country in handcuffs, that's going to be a big deal," he said.

McFeely said the bureau has been attempting to keep cybercrime victims up-to-date in the past, admitting that the FBI was "terrible" about doing so in the past. "That's 180 degrees from where we are now," he said.

The self-proclaimed Muslim hacktivist group Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the banking website disruptions, which it said are retaliation for the posting to YouTube in July 2012 of a film that mocks the founder of Islam. U.S. government officials, however, have accused the group of being a front for Iran. Members of the group have responded by saying they're apolitical and hail from multiple countries.

Despite the bank attacks having been previewed in advance and now more often than not simply occurring every week, banks -- after spending millions of dollars on countermeasures -- have been unable to fully block the DDoS campaign. In part, that's because attackers have managed to exploit thousands of PHP websites that include known vulnerabilities and install attack toolkits, which they remotely control to queue up attacks against designated banks.

The sheer scale of the DDoS attacks and the number of compromised websites is astounding. The Department of Homeland Security and FBI have reportedly been liaising with cybersecurity officials in 129 other countries and shared details of a total of 130,000 IP addresses that have been used in the attacks.

The bureau's classified bank executive briefing comes in the wake of President Obama's "Improving Critical Infrastructure Cybersecurity" executive order, issued in February, which instructed the Department of Homeland Security to "expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators." Critical infrastructure, the vast majority of which is privately owned, refers to the energy, oil, water, telecom, finance and transportation industries.

Some members of Congress have been calling for new laws to indemnify businesses that share cyber-attack information with law enforcement agencies. But the FBI's outreach effort suggests that public-private information sharing is already occurring.

McFeely did, however, report that the bureau has faced difficulty gathering information about online attacks from victims, for example from defense contractors wary of speaking to the FBI. Interestingly, recent news reports suggest that online attacks against defense contractors -- attributed to China -- have been much more successful than previously disclosed in public, and resulted in the compromise of data relating to the latest drone and robot technologies, and might have undermined the combat reliability of the Lockheed Martin F-22 Raptor.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!