Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Cybercriminals Expand DDOS Extortion Demands

Free toolkits and outsourced cybercrime services make DDoS attacks popular with Anonymous, criminals, unscrupulous business competitors and anyone with a grudge.

Dear website owner: Pay up or we'll launch a distributed denial-of-service (DDoS) attack against your website.

So goes the extortion threat now being made against multiple websites, including Cryptome, which Wednesday published an "Opsecure DDOS Extortion" letter. Dated Tuesday, the letter said that unless funds were transferred to a designated Bitcoin address, the Cryptome website "will be undergoing a 'distributed denial of service' attack conducted by '1 & 0 Logic Security Group,'" starting Friday. In total, the criminals demanded 1 Bitcoin as payment, which as of Wednesday was equivalent to $102. Instead, Cryptome -- a digital archive that focuses on freedom of speech, cryptography, spying and surveillance -- published the letter, saying it was "honored" to have received it.

As detailed in a recent Economist report, DDoS attacks are increasingly used by criminals to extort businesses, with gangs demanding one or more payoffs if a business wants the disruption of its site to cease.

[ Microsoft offers bug hunters a big payday, but there's a hitch. See Microsoft Dangles $100,000 Bug Bounty. ]

The growth in DDoS attacks, which remain illegal in many countries, including the United States, has been fueled in part by more advanced, and often free, DDoS attack toolkits. With enough malware-infected -- aka zombie -- PCs or servers at their disposal, attackers can overwhelm nearly any unprotected website, sometimes in spectacular fashion. Earlier this year, for example, a DDoS attack against Spamhaus broke records by spewing 300 gigabits per second of bogus data. Spamhaus ultimately mitigated the attack against it -- which used thousands of infected domain name system (DNS) servers -- with the help of DDoS attack mitigation service provider CloudFlare.

Criminal enterprises are behind many of these DDoS disruptions, as demonstrated by a recent attack made using the new "Drive" version of DDoS tool DirtJumper. According to a blog post from Jason Jones, a researcher with the Arbor Networks security engineering and response team, he traced the attack back to a server that also hosted "a BetaBot CnC [command-and-control server] and a Bitcoin mining harvester and all 3 were dropped by a Smoke Loader."

That refers to BetaBot, a relatively new and inexpensive piece of malware that's built to deactivate information security software, and Smoke Loader, which is malware used to load additional malware -- such as crimeware toolkits and remotely controlled DDoS tools -- onto infected systems.

DDoS attack tools, of course, have long been favored by the hacktivist set. In the run-up to the Anonymous-backed attacks against North Korea -- dubbed #OpNorthKorea -- launched Tuesday, for example, the hacktivist collective recommended participants tap one of a number of free DDoS attack tools, such as Slow Loris for Python and Windows, the Low-Orbit Ion Canon, or a set of techniques dubbed as the OWASP Layer 7 DDOS Tool.

Meanwhile, Izz ad-Din al-Qassam Cyber Fighters, which launched the Operation Ababil attacks against U.S. banks last year -- those attacks now appear to be on hiatus -- have favored the "itsoknoproblembro" toolkit, which is also known as Brobot. They've sneaked it onto thousands of legitimate sites, in part by exploiting a known vulnerability in a WordPress plug-in.

In South Korea in October 2011, meanwhile, a DDoS attack was used to disrupt the country's National Election Commission website on the day of a Seoul mayoral by-election. "Information on polling stations was made unavailable during morning hours when a large proportion of young, liberal-leaning constituents were expected to vote en route to work," according to a Freedom House report. Police later arrested a South Korean lawmaker, his personal assistant and the head of an IT services firm for being behind the attack, which authorities said peaked at 263 megabytes per second and was generated using 200 zombie PCs.

For people not well-versed in the art of configuring DDoS attack toolkits or sneaking remote-control DDoS attack code onto otherwise legitimate servers, outsourced services offer to do it for them. Filipino hacker Gwapo, for example, advertises his DDoS attack service on YouTube. Going rates for downing websites are $5 per hour "for small personal websites," and up to $100 per hour "depending on how huge or protected the target is," according to the video. Attacks can be contracted for the short term or long term, and scheduled in advance. Payment is accepted via Bitcoins, as well as CashU Codes, Moneypak and Webmoney. The service even promises refunds if "the target has ... moved to a protected environment which we are not capable of taking down."

"You need your business competitors, rivals, haters or whatever the reason or who they are to go down ... well they can," according to Gwapo's video. "You cannot go wrong."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...