Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2015
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cybercriminal Gang Extorts Businesses Via DDoS Attacks

Since April, the so-called DD4BC group has been responsible for at least 114 DDoS attacks on Akamai customers, vendor says.

A group of threat actors calling themselves DD4BC has been attempting to extort money from financial companies and other business by threatening to hit them with massive distributed denial of service attacks (DDoS), content delivery vendor Akamai said in a report published today.

The group has been active since at least September 2014, but appears to be ratcheting up its operations and going after a broader cross section of targets. Since April 2015, the group has hit at least 114 Akamai customers with DDoS attacks, with an average peak bandwidth of around 13.34 Gbps.

The largest of the attacks that Akamai observed generated over 56.2 Gbps of traffic. At the height of the group’s activity in June, Akamai mitigated at least 8 DDoS attacks that had peak bandwidths of more than 23 Gbps.

In DDoS attacks, threat actors use botnets to direct large volumes of useless traffic to a target network with the intention of overwhelming it. Generally, the higher the sustained peak bandwidth of a DDoS attack, the more potential it has to knock a website offline or make it completely inaccessible from the outside.

With DD4BC, the attacks were preceded by emails from members of the group that have attempted to extort money from the targets, Akamai found. Victims were first informed that a low-level DDoS attack would be launched against their site if they did not pay a specific ransom amount in Bitcoins within a particular time period. The emails included details on how and where the victims would pay, and included a promise not to target them again if they complied.

Messages that were ignored were quickly followed with more ominous threats about bigger DDoS attacks and higher ransom amounts.

Samples of the threatening emails posted by Akamai show that the ransom amounts demanded by the group were relatively modest, ranging from 25 Bitcoins to 50 Bitcoins, or between $6,000 and $12,000 at current currency exchange rates.

"Your site is going under attack unless you pay 25 Bitcoin," one email stated. "Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother."

The email goes on to inform the target that a low-level DDoS attack was being launched against it to demonstrate the seriousness of the threat. The attackers promise never to threaten the victim again if the ransom is paid up: "We do bad things, but we keep our word."

Subsequent emails warn the victim against ignoring the ransom demand. "And you are ignoring us. Probably because you don’t want to pay extortionists. And you believe that after sometime we will give up. But we never give up," the follow-up messages read.

Lisa Beegle, manager at Akamai’s Prolexic Security Engineering & Research Team (PLXsert) describes DD4BC as a dangerous group. "This group has definitely followed through" with its threats, Beegle says. "If an organization gets a note [from DD4BC], they should take it seriously," she says.

Beegle says it’s difficult to know for sure how many organizations have paid the ransom demanded by DD4BC. But it is likely that at least a few of them have complied with the demands, she says.

From the size of the attacks that Akamai has observed, it’s highly unlikely that DD4BC has the ability to launch the 400 to 500 Gbps attacks that the group mentions in its extortion emails, Beegle notes.

At the same time, the average peak attack bandwidths achieved by the group are enough to overwhelm many websites, she says. "The average organization has a 10 Gbps pipeline," Beegle says. "So a 13 GBPs attack would exceed their bandwidth capacity."

Financial services firms were targeted in 58 percent of these attacks. Of that number, banks and credit unions accounted for 35 percent of the attacks, 13 percent involved currency exchanges while the rest were payment processing firms, according to Akamai.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.