Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/25/2018
01:06 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

'Webstresser' DDoS Attack Site Shut Down in International Operation

Investigators arrested the admins of Webstresser, the world's largest DDoS marketplace reportedly responsible for more than four million attacks.

The world's largest online marketplace for selling and lauching distributed denial-of-service (DDoS) attacks was shut down this week as part of Operation Power Off, an international investigation into the so-called Webstresser.org site. The effort was led by the UK National Crime Agency (NCA) and Dutch National Police, with support from Europol and a dozen global law enforcement agencies, Europol reports.

Webstresser had more than 136,000 registered users, and threat actors have reportedly used it to launch at least four million cyberattacks, targeting government agencies, banks, police organizations, and victims in the gaming sector by flooding their servers with traffic, according to Europol.

The site simplified the process of launching DDoS attacks, once a threat mostly accessible to tech-savvy cybercriminals. Anybody, regardless of their technical skill level, could use Webstresser's online payment system or cryptocurrency to rent out stressers or booters, which were available for as little as 15 EUR/month and could be used for destructive DDoS attacks.

Stressers and booters are for-hire services that grant access to DDoS botnets. Most aim to make money under the pretense of offering a legitimate, useful service to test servers' resiliency. In reality, they usually don't require proof of identity from the individual launching the attack, nor do they ask whether the attacker is associated with the organization being targeted.

"As this event illustrates, it remains ridiculously cheap to rent a devastating DDoS attack from these so-called DDoS 'stressers' or on the Dark Web," says Andrew Lloyd, president of Corero Network Security. "In many territories, it also remains a criminal offence."

Authorities in five countries, including Canada, Croatia, Serbia, and the Netherlands, along with support from Europol and Police Scotland, arrested six suspected members of the group behind Webstresser on April 24. Dutch Police, with support from Germany and the US, seized servers and started the takedown of the site on the morning of April 25.

Europol's European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) provided support for the investigation by enabling an information exchange among all participating organizations. On the day of the takedown, a command and coordination post was set up at Europol HQ. Europol reports measures were also taken against Webstresser's top users in the Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada, and Hong Kong.

NCA officials believe an attacker linked to an address in Bradford, UK, used Webstresser to target seven of the UK's largest banks in November 2017. The banks were forced to scale back their operations and, in some cases, shut down entire systems, costing hundreds of thousands of pounds in recovery. The address was identified and searched as part of this effort.

John Fokker, McAfee's head of cyber investigations, notes how Webstresser points to the overall rise of attacks on the gaming sector, which is increasingly targeted as attacks become easier to launch. He also suggests a threat like this could have geopolitical implications.

"Attacks on gaming servers predominately committed by young people are becoming increasingly popular and the relative ease with which these attacks are carried out by individuals with little hacking experience is striking," he says. "Webstresser and other similar attacks suggest entire organizations or parts of a country can be disrupted for the price of a pound of good coffee beans."

Jo Goodall, senior investigating officer at the NCA, urged businesses and individuals to report cybercrime. In a statement, she points to the Action Fraud website, the UK's national fraud and cybercrime reporting center. Guidance on how to mitigate the effects of cyberattacks can be found at the National Cyber Security Centre website.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.