A gang of hacktivists driven by religious and political motives has emerged as a prodigious new threat, using open-source utilities to carry out a spate of more than 750 distributed denial of service (DDoS) attacks and 78 website defacements in only a year's time, researchers have found.
Dubbed "Mysterious Team Bangladesh," the group has targeted organizations in geographies as diverse as the Netherlands, Senegal, and the United Arab Emirates, but primarily has in its crosshairs government, financial, and transportation-sector organizations in India and Israel, Group-IB's Threat Intelligence Team revealed in a blog post on Aug. 3.
While the group was founded in 2020 by a threat actor who goes by the online handle D4RK TSN, it didn't begin its cybercriminal activity in earnest until June 2022. However, Mysterious Team Bangladesh wasted no time in making its mark, with a total of 846 attacks under its belt between June 2022 and last month, said the researchers, who have been tracking the group on its Telegram channel.
The highest percentage of those attacks, 34%, occurred in India, followed by 18.1% of attacks in Israel; in fact, these nations appear to be Mysterious Team Bangladesh's top priorities.
However, as the group has diversified its attack geographies and targets in recent months, the researchers expect the group to intensify its focus on financial companies and government entities in Europe, and other parts of Asia-Pacific and the Middle East, in the near future.
"The group shows a preference for targeting government resources and the websites of banks and financial organizations," according to the Group-IB post, which is attributed to John Doe. "However, if the group is unable to find a victim within these sectors, they try to massively exploit domains within the targeted country's domain zone."
While hacktivist groups often are underestimated, modern versions can and do pose a significant, sophisticated threat that's on par with more financially motivated threat actors, according to Group-IB. However, unlike those actors, hacktivists don't tend to negotiate and, in fact, are intent on disrupting critical systems, potentially leading to significant financial and reputational losses for affected organizations.
Mysterious Team Bangladesh Motivation & Attack Style
A typical attack by Mysterious Team Bangladesh begins with the group taking notice of a news event that triggers a theme-based campaign against a specific country, which usually lasts about a week before the group loses interest. It then goes back to focusing on attacks against India and Israel.
The group likes to test the waters before fully diving into an attack, carrying out a short test attack to check a target's resistance to DDoS attacks. It most often exploits vulnerable versions of PHPMyAdmin and WordPress in its malicious activity.
"The use of PHP may involve PHPMyAdmin; both frameworks are quite common and have a large number of known exploits, which underlines the importance of timely software updates," Doe wrote in the post.
While the bulk of the attacks have come so far in the form of DDoS, the group also has defaced targets' websites, and also, in some cases, may have gained access to Web servers and administrative panels by using exploits for widely known vulnerabilities or common/default passwords for admin accounts.
Rather than develop its own malicious tools or malware, Mysterious Team Bangladesh uses various open-source, widely available utilities, including the "./404FOUND.MY" utility, the Raven-Storm toolkit, penetration-testing tool Xerxes, and DDoS tool Hulk.
The group leverages these to conduct DDoS attacks at different network layers, including Layer 3, Layer 4, and Layer 7, the researchers found. This means it can carry out both attacks directed at individual servers, as well as DNS-amplification attacks that direct a large volume of traffic toward a victim's network.
Defending Against DDoS Cyberattacks
Though it's been a popular method of cyberattack for many years, DDoS remains a critical threat to organizations. In fact, a recent study found that organizations are more worried about DDoS over other types of common cyberattacks due to their immediate potential to impact business.
To defend against DDoS attacks, Group-IB recommended that organizations deploy load balancers to distribute traffic to minimize the impact of DDoS. They also should configure firewalls and routers to filter and block suspicious traffic.
Content delivery networks, or geographically distributed server groups that caches content close to end users, can also help organizations distribute traffic across a network to thwart a DDoS attack. Organizations also should regularly update Web-server backend software to prevent attackers from exploiting known vulnerabilities that may be present on the network.
Finally, organizations can use emerging artificial intelligence (AI) and machine learning (ML) tools to assist network security teams in making more accurate and faster decisions about what constitutes a DDoS threat or is a more concerning, ongoing attack.