Vulnerabilities / Threats
10/4/2012
10:17 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Serious Attackers Paired With Online Mob In Bank Attacks

The denial-of-service attacks chalked up to crowdsourced hacktivism had little impact, except to camouflage much more effective packet floods using compromised content-management servers

At first blush, the recent attacks against major U.S. financial institutions appear to be a textbook case of hacktivism: Under the name "Operation Ababil," a group of alleged Iranian protestors called for supporters to attack banks and Google's YouTube, citing the Internet giant's refusal to take down a movie that offended some Muslims.

Yet the resulting distributed denial-of-service (DDoS) attacks that caused disruptions at major banks -- including Bank of America, JPMorgan, Citigroup, and Wells Fargo -- did not emanate from the widespread home computers of hacktivists, but from hundreds -- or, at most, thousands -- of servers running vulnerable content management software, say security experts familiar with the attacks. Using the servers and customized malware, the attackers leveled between 70 Gbps and 100 Gbps of peak traffic at the targeted sites and tailored the campaign to get around defenses specifically designed to stop floods of data.

The overall picture emerging from investigations into the attack is that of not just a successful campaign by hacktivists, but of something more, says Rodney Joffe, senior vice president and senior technologist at Internet infrastructure provider Neustar.

"This was a very well done attack, and the key thing is that this was not an attack that was easily survivable," he says. "They effectively took down or disrupted major financial organizations."

The details emerging from the investigation contradict the notion that the denial-of-service (DoS) attack came from a multitude of hacktivist computers during Operation Ababil. Using the name "Cyber fighters of Izz ad-din Al qassam," someone -- or some group -- posted a call to action on Pastebin on Sept. 18, calling for Muslims to attack the Bank of America and the New York Stock Exchange. Four days earlier, messages linked to the same group called for attacks against Google's YouTube.

Yet the Web requests from individuals' systems counted for the minority of traffic in the attack, experts say. The servers that formed the backbone of the attack, and which accounted for the majority of the traffic directed at the targets, were content management servers -- most, if not all, running the Joomla CMS, according to sources who asked not to be named. The attackers infected vulnerable content-management servers with a customized version of the "itsoknoproblembro" DDoS toolkit, likely using a vulnerability in the default Bluestork Joomla template.

Reports of compromises started appearing in the Joomla forums in mid-August, far before the release of the controversial movie on YouTube. The timing suggests that the attackers decided to participate in the hacktivist's operation or used the hacktivism as a smokescreen to camouflage their own activities.

[ After years of focusing mainly on the malware used in data breaches and financially motivated hacks, some security experts have begun to turn the spotlight on the attacker himself. See Turning Tables: ID'ing The Hacker Behind The Keyboard ]

The attackers likely had high-profile targets in mind when they created the network of compromised servers, says Dan Holden, director of security for Arbor Network, a network security company.

"I would say this [set of tools] was custom-built and put together for this particular type of attack: going after targets that would have DDoS defenses and would know how to defend themselves," Holden says. "If you compromise the right servers with the right bandwidth, you can be quite successful."

The average DoS attack falls far short of the volume of traffic leveled at targeted sites during Operation Ababil. While Arbor declined to give bandwidth figures, DDoS mitigation firm Prolexic stated that the attack reached 70 Gbps and 30 million packets per second against some of its customers. Another source familiar with the attacks, who asked not to be named, pegged the bandwidth as high as 100 Gbps.

Such volumes far outstrip previous attacks. In a presentation (PDF) at the North American Network Operators Group in February, Arbor's Jose Nazario asserted that large attacks were the new normal, but defined "large" as attacks with sustained bandwidths of 1 Gbps, two orders of magnitude smaller than those leveled at the U.S. financial institutions. More than 40 percent of companies surveyed by Arbor had encountered attacks greater than 1 Gbps, and 13 percent had suffered attack topping 10 Gbps.

Next Page: Government officials worry about size and skill of attacks

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkB305
50%
50%
MarkB305,
User Rank: Apprentice
8/31/2013 | 12:41:59 PM
re: Serious Attackers Paired With Online Mob In Bank Attacks
I am a little late, but just found this article. It reads like a fiction story, not based on real evidence. "Appearing...", "likely...", "statement from anonymous source" makes this essay not very thrustworthy. Ofcourse hacked sites (through outdated CMS software) might be used in a botnet, but maybe "DNS Amplification Attacks" are used even more to reach the same ddos effect.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web