06:30 PM

Bank DDoS Attacks Employ Web Servers As Weapons

Researchers at Incapsula discovered a scheme by attackers to use a website as a bot in a DDoS attack

The recent wave of distributed denial-of-service (DDoS) attacks against U.S. banks is yet another entry on the list of examples of DDoS being used as a tool for protest.

But the latest spate of attacks attributed to the hacker group Izz ad-Din al-Qassam used an increasingly popular tactic: turning a compromised Web server into a weapon.

"Web servers have become the weapon of choice for DDoS attacks," says Marc Gaffan, co-founder and vice president of new business and marketing at Incapsula. "They have significantly more computing and networking capacity than a home PC and can cause havoc when used to launch DDoS attacks. This is becoming more and more prevalent with cloud computing environments where spinning up new servers from hacked IT administrator accounts can be done in an instant."

This is more common in the hosting provider space than the enterprise space, notes Stephen Gates, security evangelist at Corero Network Security. This is likely due to the available computing power and bandwidth at the attackers' disposal when it comes to hosting providers, he says.

In the case of Izz ad-Din al-Qassam's campaign, Incapsula discovered that one of its customers had been compromised in an attempt to use them as a launch pad for attacks.

"This client, a small and seemingly harmless general interest UK website, was suddenly a focal point of a rapidly increasing number of security events," blogged Ronen Atias, senior security researcher at Incapsula. "The cause? Numerous requests with encoded PHP code payload."

"A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot - an unwilling foot soldier in a DDOS army," Atias continued. "The backdoor was instructed to launch HTTP and UDP flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank."

The backdoor was controlled using an API that leveraged the server’s PHP environment to inject dynamic attack code that allowed the attacker to adapt quickly to any changes in the website's security.

Since the commands were blocked by Incapsula, the attack was mitigated before it started. While it is unclear how the Web server was initially compromised, an analysis after the fact showed the server had a particularly weak administration password: "admin."

"Using weak passwords is one the most common causes of websites being hacked," Gaffan explains. "The paradox is that while we are constantly being educated to strengthen our password in our personal lives -- email, bank account, and social media -- server administrators who think that their servers don't contain anything valuable are negligent in selecting their passwords."

"What they don't realize," he adds, "is that computing resources that have access to loads of bandwidth like Web servers can be used as fire power to launch attacks against other entities. So it's not just about what you have on your server worth stealing, it's also about what your server can be used for."

Tracing the attack backward, Incapsula researchers followed the trail back to a Turkish Web design company. According to Atias, the website was used as a botnet command-and-control for the attack. The site was most likely also compromised and being used to provide an additional buffer between the true target and the actual attacker, he speculates.

Increasingly, attackers are using blended approaches of network- and application-layer DDoS attacks to hit companies, Gates says. On the horizon are potential attacks that use mobile devices, though this approach has its limitations.

"Since most mobile devices have limited upload speeds, mobile devices, at least in the beginning, could be used primarily to launch the low and slow application-layer DDoS attacks instead of volumetric, flooding types of attacks in order to stay under the radar of wireless providers," he says.

"Organizations must have a DDoS defense plan in place as well as technology specifically built to combat these attacks," Gates adds. "Depending on an organization's budget, they may opt for one solution over another. Ideally a multipronged approach blending on-premise and ISP solutions is the most effective way to combat against this growing threat. If an organization only can use one technology, then on-premise is the way to go as it covers the broadest range of attacks, including traditional network-based attacks as well as today’s increasing application layer, low and slow attacks."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
1/23/2013 | 11:14:37 PM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The interesting type of DDoS are the low-and-slow type of attacks that exhaust server resources.

Kelly Jackson Higgins, Senior Editor
Dark Reading
User Rank: Apprentice
1/16/2013 | 11:17:13 AM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The article uses the term webserver, when I believe they mean website.

While it might be a small point, it still needs clarification.-
I felt it necessary to point this out as many of our customers ask why hackers want their website. This is one reason why. Thank you for bringing this to the attention of the public.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report