Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2015
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cybercriminal Gang Extorts Businesses Via DDoS Attacks

Since April, the so-called DD4BC group has been responsible for at least 114 DDoS attacks on Akamai customers, vendor says.

A group of threat actors calling themselves DD4BC has been attempting to extort money from financial companies and other business by threatening to hit them with massive distributed denial of service attacks (DDoS), content delivery vendor Akamai said in a report published today.

The group has been active since at least September 2014, but appears to be ratcheting up its operations and going after a broader cross section of targets. Since April 2015, the group has hit at least 114 Akamai customers with DDoS attacks, with an average peak bandwidth of around 13.34 Gbps.

The largest of the attacks that Akamai observed generated over 56.2 Gbps of traffic. At the height of the group’s activity in June, Akamai mitigated at least 8 DDoS attacks that had peak bandwidths of more than 23 Gbps.

In DDoS attacks, threat actors use botnets to direct large volumes of useless traffic to a target network with the intention of overwhelming it. Generally, the higher the sustained peak bandwidth of a DDoS attack, the more potential it has to knock a website offline or make it completely inaccessible from the outside.

With DD4BC, the attacks were preceded by emails from members of the group that have attempted to extort money from the targets, Akamai found. Victims were first informed that a low-level DDoS attack would be launched against their site if they did not pay a specific ransom amount in Bitcoins within a particular time period. The emails included details on how and where the victims would pay, and included a promise not to target them again if they complied.

Messages that were ignored were quickly followed with more ominous threats about bigger DDoS attacks and higher ransom amounts.

Samples of the threatening emails posted by Akamai show that the ransom amounts demanded by the group were relatively modest, ranging from 25 Bitcoins to 50 Bitcoins, or between $6,000 and $12,000 at current currency exchange rates.

"Your site is going under attack unless you pay 25 Bitcoin," one email stated. "Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother."

The email goes on to inform the target that a low-level DDoS attack was being launched against it to demonstrate the seriousness of the threat. The attackers promise never to threaten the victim again if the ransom is paid up: "We do bad things, but we keep our word."

Subsequent emails warn the victim against ignoring the ransom demand. "And you are ignoring us. Probably because you don’t want to pay extortionists. And you believe that after sometime we will give up. But we never give up," the follow-up messages read.

Lisa Beegle, manager at Akamai’s Prolexic Security Engineering & Research Team (PLXsert) describes DD4BC as a dangerous group. "This group has definitely followed through" with its threats, Beegle says. "If an organization gets a note [from DD4BC], they should take it seriously," she says.

Beegle says it’s difficult to know for sure how many organizations have paid the ransom demanded by DD4BC. But it is likely that at least a few of them have complied with the demands, she says.

From the size of the attacks that Akamai has observed, it’s highly unlikely that DD4BC has the ability to launch the 400 to 500 Gbps attacks that the group mentions in its extortion emails, Beegle notes.

At the same time, the average peak attack bandwidths achieved by the group are enough to overwhelm many websites, she says. "The average organization has a 10 Gbps pipeline," Beegle says. "So a 13 GBPs attack would exceed their bandwidth capacity."

Financial services firms were targeted in 58 percent of these attacks. Of that number, banks and credit unions accounted for 35 percent of the attacks, 13 percent involved currency exchanges while the rest were payment processing firms, according to Akamai.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...