Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2015
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cybercriminal Gang Extorts Businesses Via DDoS Attacks

Since April, the so-called DD4BC group has been responsible for at least 114 DDoS attacks on Akamai customers, vendor says.

A group of threat actors calling themselves DD4BC has been attempting to extort money from financial companies and other business by threatening to hit them with massive distributed denial of service attacks (DDoS), content delivery vendor Akamai said in a report published today.

The group has been active since at least September 2014, but appears to be ratcheting up its operations and going after a broader cross section of targets. Since April 2015, the group has hit at least 114 Akamai customers with DDoS attacks, with an average peak bandwidth of around 13.34 Gbps.

The largest of the attacks that Akamai observed generated over 56.2 Gbps of traffic. At the height of the group’s activity in June, Akamai mitigated at least 8 DDoS attacks that had peak bandwidths of more than 23 Gbps.

In DDoS attacks, threat actors use botnets to direct large volumes of useless traffic to a target network with the intention of overwhelming it. Generally, the higher the sustained peak bandwidth of a DDoS attack, the more potential it has to knock a website offline or make it completely inaccessible from the outside.

With DD4BC, the attacks were preceded by emails from members of the group that have attempted to extort money from the targets, Akamai found. Victims were first informed that a low-level DDoS attack would be launched against their site if they did not pay a specific ransom amount in Bitcoins within a particular time period. The emails included details on how and where the victims would pay, and included a promise not to target them again if they complied.

Messages that were ignored were quickly followed with more ominous threats about bigger DDoS attacks and higher ransom amounts.

Samples of the threatening emails posted by Akamai show that the ransom amounts demanded by the group were relatively modest, ranging from 25 Bitcoins to 50 Bitcoins, or between $6,000 and $12,000 at current currency exchange rates.

"Your site is going under attack unless you pay 25 Bitcoin," one email stated. "Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother."

The email goes on to inform the target that a low-level DDoS attack was being launched against it to demonstrate the seriousness of the threat. The attackers promise never to threaten the victim again if the ransom is paid up: "We do bad things, but we keep our word."

Subsequent emails warn the victim against ignoring the ransom demand. "And you are ignoring us. Probably because you don’t want to pay extortionists. And you believe that after sometime we will give up. But we never give up," the follow-up messages read.

Lisa Beegle, manager at Akamai’s Prolexic Security Engineering & Research Team (PLXsert) describes DD4BC as a dangerous group. "This group has definitely followed through" with its threats, Beegle says. "If an organization gets a note [from DD4BC], they should take it seriously," she says.

Beegle says it’s difficult to know for sure how many organizations have paid the ransom demanded by DD4BC. But it is likely that at least a few of them have complied with the demands, she says.

From the size of the attacks that Akamai has observed, it’s highly unlikely that DD4BC has the ability to launch the 400 to 500 Gbps attacks that the group mentions in its extortion emails, Beegle notes.

At the same time, the average peak attack bandwidths achieved by the group are enough to overwhelm many websites, she says. "The average organization has a 10 Gbps pipeline," Beegle says. "So a 13 GBPs attack would exceed their bandwidth capacity."

Financial services firms were targeted in 58 percent of these attacks. Of that number, banks and credit unions accounted for 35 percent of the attacks, 13 percent involved currency exchanges while the rest were payment processing firms, according to Akamai.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...