Attacks/Breaches
1/9/2013
06:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Bank DDoS Attacks Employ Web Servers As Weapons

Researchers at Incapsula discovered a scheme by attackers to use a website as a bot in a DDoS attack

The recent wave of distributed denial-of-service (DDoS) attacks against U.S. banks is yet another entry on the list of examples of DDoS being used as a tool for protest.

But the latest spate of attacks attributed to the hacker group Izz ad-Din al-Qassam used an increasingly popular tactic: turning a compromised Web server into a weapon.

"Web servers have become the weapon of choice for DDoS attacks," says Marc Gaffan, co-founder and vice president of new business and marketing at Incapsula. "They have significantly more computing and networking capacity than a home PC and can cause havoc when used to launch DDoS attacks. This is becoming more and more prevalent with cloud computing environments where spinning up new servers from hacked IT administrator accounts can be done in an instant."

This is more common in the hosting provider space than the enterprise space, notes Stephen Gates, security evangelist at Corero Network Security. This is likely due to the available computing power and bandwidth at the attackers' disposal when it comes to hosting providers, he says.

In the case of Izz ad-Din al-Qassam's campaign, Incapsula discovered that one of its customers had been compromised in an attempt to use them as a launch pad for attacks.

"This client, a small and seemingly harmless general interest UK website, was suddenly a focal point of a rapidly increasing number of security events," blogged Ronen Atias, senior security researcher at Incapsula. "The cause? Numerous requests with encoded PHP code payload."

"A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot - an unwilling foot soldier in a DDOS army," Atias continued. "The backdoor was instructed to launch HTTP and UDP flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank."

The backdoor was controlled using an API that leveraged the server’s PHP environment to inject dynamic attack code that allowed the attacker to adapt quickly to any changes in the website's security.

Since the commands were blocked by Incapsula, the attack was mitigated before it started. While it is unclear how the Web server was initially compromised, an analysis after the fact showed the server had a particularly weak administration password: "admin."

"Using weak passwords is one the most common causes of websites being hacked," Gaffan explains. "The paradox is that while we are constantly being educated to strengthen our password in our personal lives -- email, bank account, and social media -- server administrators who think that their servers don't contain anything valuable are negligent in selecting their passwords."

"What they don't realize," he adds, "is that computing resources that have access to loads of bandwidth like Web servers can be used as fire power to launch attacks against other entities. So it's not just about what you have on your server worth stealing, it's also about what your server can be used for."

Tracing the attack backward, Incapsula researchers followed the trail back to a Turkish Web design company. According to Atias, the website was used as a botnet command-and-control for the attack. The site was most likely also compromised and being used to provide an additional buffer between the true target and the actual attacker, he speculates.

Increasingly, attackers are using blended approaches of network- and application-layer DDoS attacks to hit companies, Gates says. On the horizon are potential attacks that use mobile devices, though this approach has its limitations.

"Since most mobile devices have limited upload speeds, mobile devices, at least in the beginning, could be used primarily to launch the low and slow application-layer DDoS attacks instead of volumetric, flooding types of attacks in order to stay under the radar of wireless providers," he says.

"Organizations must have a DDoS defense plan in place as well as technology specifically built to combat these attacks," Gates adds. "Depending on an organization's budget, they may opt for one solution over another. Ideally a multipronged approach blending on-premise and ISP solutions is the most effective way to combat against this growing threat. If an organization only can use one technology, then on-premise is the way to go as it covers the broadest range of attacks, including traditional network-based attacks as well as today’s increasing application layer, low and slow attacks."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
1/23/2013 | 11:14:37 PM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The interesting type of DDoS are the low-and-slow type of attacks that exhaust server resources.

Kelly Jackson Higgins, Senior Editor
Dark Reading
WeWatch
50%
50%
WeWatch,
User Rank: Apprentice
1/16/2013 | 11:17:13 AM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The article uses the term webserver, when I believe they mean website.

While it might be a small point, it still needs clarification.-
I felt it necessary to point this out as many of our customers ask why hackers want their website. This is one reason why. Thank you for bringing this to the attention of the public.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.