Attacks/Breaches
5/14/2013
12:56 PM
50%
50%

FBI Briefs Bank Executives On DDoS Attack Campaign

FBI expedited security clearances so it could share classified info on Operation Ababil, a distributed denial of service attack that continues to disrupt U.S. financial websites.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The FBI recently granted one-day clearances to security officers and executives at numerous banks so it could share classified intelligence on the Operation Ababil campaign that's been disrupting U.S. financial websites for almost a year.

The videoconference briefings detailed "who was behind the keyboards" of the attacks, FBI executive assistant director Richard McFeely told the Reuters Cybersecurity Summit Monday, reported Reuters. McFeely is in charge of the bureau's criminal and cyber investigations.

The Operation Ababil distributed-denial-of-service (DDoS) attacks, which typically target a handful of the country's top banks every week, have disrupted the websites of such financial institutions as Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. The attacks have resulted in customers sometimes being unable to access online or mobile banking services.

[ What's happening when bank sites go down? Read Bank Hacks: 7 Misunderstood Facts. ]

Banks targeted as part of Operation Ababil have been frustrated by the lack of arrests or apparent progress in the case, McFeely said. But he said that some indictments -- currently under seal -- have been issued for suspects' arrest. Suggesting that the suspects are operating in countries that have no extradition treaty with the United States, he said that the hackers might be caught when they travel to other countries. "The first time we bring someone in from out of the country in handcuffs, that's going to be a big deal," he said.

McFeely said the bureau has been attempting to keep cybercrime victims up-to-date in the past, admitting that the FBI was "terrible" about doing so in the past. "That's 180 degrees from where we are now," he said.

The self-proclaimed Muslim hacktivist group Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the banking website disruptions, which it said are retaliation for the posting to YouTube in July 2012 of a film that mocks the founder of Islam. U.S. government officials, however, have accused the group of being a front for Iran. Members of the group have responded by saying they're apolitical and hail from multiple countries.

Despite the bank attacks having been previewed in advance and now more often than not simply occurring every week, banks -- after spending millions of dollars on countermeasures -- have been unable to fully block the DDoS campaign. In part, that's because attackers have managed to exploit thousands of PHP websites that include known vulnerabilities and install attack toolkits, which they remotely control to queue up attacks against designated banks.

The sheer scale of the DDoS attacks and the number of compromised websites is astounding. The Department of Homeland Security and FBI have reportedly been liaising with cybersecurity officials in 129 other countries and shared details of a total of 130,000 IP addresses that have been used in the attacks.

The bureau's classified bank executive briefing comes in the wake of President Obama's "Improving Critical Infrastructure Cybersecurity" executive order, issued in February, which instructed the Department of Homeland Security to "expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators." Critical infrastructure, the vast majority of which is privately owned, refers to the energy, oil, water, telecom, finance and transportation industries.

Some members of Congress have been calling for new laws to indemnify businesses that share cyber-attack information with law enforcement agencies. But the FBI's outreach effort suggests that public-private information sharing is already occurring.

McFeely did, however, report that the bureau has faced difficulty gathering information about online attacks from victims, for example from defense contractors wary of speaking to the FBI. Interestingly, recent news reports suggest that online attacks against defense contractors -- attributed to China -- have been much more successful than previously disclosed in public, and resulted in the compromise of data relating to the latest drone and robot technologies, and might have undermined the combat reliability of the Lockheed Martin F-22 Raptor.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.