In Search of The Perfect Cyber Security Crime: Part 1 — DDoS-for-Hire
Where there’s money, there are criminals. For a criminal, the perfect crime is one that maximises the reward, and minimises the chances of being caught.
In my series of blogs on Cyber Radio, I’m going to outline the perfect cybersecurity crimes, and cover areas such as ransomware, cryptocurrency wallet stealing, dark web trading, and DDoS (Distributed Denial of Service).
In this article, I will outline DDoS and the attempts that law enforcement are making in making life difficult for cybercriminals to operate. I’ll also outline how others have turned to DDoS as a blunt attack vector.
The rather centralised Internet
The Internet was meant to be created as a completely distributed system, where data could take multiple routes to get to a service. Unfortunately, the Internet we have created is fairly centralised and where services typically have single endpoints and have choke points for traffic. In the following, Eve creates a distributed attack on a back-end Web server infrastructure, and could reduce Bob’s quality of service in creating a connection:
This means that a DDoS attack can often succeed in either bringing down the server infrastructure or exhaust the bandwidth for the traffic flows. For Bob, the Web site will either crash on him, or the quality of service will be so bad that he will leave and go elsewhere.
And so knowing that companies will lose business through website crashes and poor quality of service, we have an increasing threat from DDoS-for-hire, and where criminals can hire a tool for a given time, and define its target. Normally the way that companies deal with this is to load balance on the main gateway into their infrastructure, and then create new instances of servers. But this can be costly to implement, and can only be sustained for a relatively short time period. The upstream pipeline to the infrastructure could also become exhausted, and reduce the quality of service.
Not all attacks are direct
And the attack doesn’t have to focus on the back-end infrastructure. In 2016, Facebook was taken down through a botnet attack on their Dynamic DNS service — and run by Dyn.
With this, the malware infected botnet, such as from compromised CCTV cameras requested a look-up address from the Dyn servers, and which stopped other users from getting IP address look-ups for Facebook, Github, Twitter, SaneBox, Reddit, AirBnB, and Heroku. It basically worked because the cameras produced by XiongMai Technologies (XT) had a default root password of “xc3511”. The Marai malare was then used to take over an army of over 500,000 cameras. This network — a botnet — then was instructed to create false domain name lookups against the Dyn service:
This type of attack is known as a reflection attack. One attack on the KrebsOnSecurity site resulted in a peak load of 620 Gbps. The opportunity for cybercriminals is thus to take control of the command and control (C&C) infrastructure, and instruct the botnet to create a sustained attack on a given site. The tracing of the original source of the attack is almost impossible to determine, as the attacking network is just a network of comprised devices.
In their state-of-the-internet report, Akamai reported that there has been a 16% increase from Summer 2017 and to Summer 2018, and with 7,822 mitigated DDoS attacks. The record attack at the current time is a massive 1.35Tbps. Much of the activity is still bot related, and where compromised systems can be used to perform the attacks. This can be compared with the capacity of 3.2 TBps of the TAT-14 cable which connects the US and Europe.
Stressors and Operation Power Off
In many cases, it’s a Bitcoin payment and which will further cover the tracks of the adversary. The model of the attack is enabled by distributing the attack agents across the world, and where it is difficult to throttle back traffic by purely closing off routes into the targeted system. On the one hand a company might use a “stresser” to test if their infrastructure could cope with a heavy number of accesses, but on the other hand the stresser can be used as an attack tool. The companies performing their DDoS activities will thus advertise their services as stresser services, but underneath they are really DDoS attack tools.
And so, in April 2018, the Dutch National High Tech Crime Unit and the U.K. National Crime Agency decided to target Webstresser.org — Operation Power Off. It is thought that there were over 136,000 registered users of the platform and that it had been involved in more than four million attacks. The site existed in the open and advertised its services as the most reliable IP Stresser/Booter:
Before its take-down, the Webstressor.org site advertised a stress test strength of 350Gbps, and its subscription models ranged from Bronze to Platinum. For just $18.99 per model a user could get 1200 seconds boot time (20 minutes), and where the best package gained a 7200 second boot time (2 hours). This time could be used over a single month, and then would be renewed for the next method. For $102, a user could even achieve a 999 year membership (defined as a ‘lifetime’ membership):
The site has been responsible for several attacks against Dutch banks, and the actual infrastructure for the company was based in The Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada, and Hong Kong. The administrators, though, were based in the UK, Croatia, Canada and Serbia.
So, on 25 April, the domain name was seized by the United States Department of Defense, Defense Criminal Investigative Service, Cyber Field Office, in a coordinated effort involving law enforcement agencies from The Netherlands, UK, Serbia, Croatia, Spain, Italy, Germany, Australia, Hong Kong, Canada and the USA, in cooperation with Europol:
Kaspersky Lab recently estimated that a cloud-based infrastructure of 1,000 machines would cost a cybercriminal around $7 per hour, and where they could charge $25 an hour for the attack. This leads to profit of around $18 per hour. The cloud-based infrastructure can thus be created in the cloud in minutes, and then used to create the attack, and then collapsed when finished. When investigators try and trace the sources, the machines which caused the attack are often gone. A botnet of compromised IoT attacking devices leaves almost no traces back to the source, too.
Are they successful?
While the providers of the attacks will make their money in scripting and orchestrating the attacks, cybercriminals will often use them for extortion. The victims of the attack, especially in areas which require high levels of availability such as in online gambling and gaming, are often willing to pay a ransom in order to stop the attack.
One of the most successful attacks is RDoS (Ransomware Denial of Service) attacks. These often start with a social media post or a letter which announces a forthcoming attack on a site, unless a payment is made. In order to show their power, the attackers will often launch pre-attacks to show that they are serious in their demands. In some cases the success rate of this can be greater that 95. In 2017, a hacking group named the Armada Collective launched an attack on Nayana (a South Korean web hosting company). The company eventually paid a ransom fee of around $1 million. After this successful extortion of funds, others have tried to cash-in with claims of an attack, that never actually happens. A recent estimate is that around one in six organisations — worldwide — have received at least one of these ransom notes.
In 2014, a bitcoin extortionist group called DD4BC emerged. This group targeted institutions around the world with threats of DDoS attacks if a ransom in bitcoin was not paid. Two core members of DD4Bc were ultimately arrested in December 2015, but this did not stop the growth of ransom-based DDoS attacks.
In September 2015, a new group called the Armada Collective emerged targeting banks, e-commerce and hosting services in Russia, Thailand, Switzerland, and more. In November 2015, The Armada Collective launched one of their most famous ransomware attacks. The group targeted several email service providers like ProtonMail, NeomailBox, VFEmail, HushMail, FastMail, Zoho, and Runbox.
Armada Collective had a very specific pattern of blackmailing only a handful of victims at a time. They would send their target a letter demanding a ransom be paid in bitcoin. To underscore the threat, the group would launch a sample attack for 15 to 30 minutes against the victims’ network. If the ransom was not paid in the allotted time, the ransom would increase and the targets would face large-scale and persistent multi-vector attacks.
It’s not just cybercriminals
Along with cyber criminals being involved in extortion, DDoS has become the weapon of choice for hacktivists who will bring down sites for political reasons.
In 2015, as a protest against St. Louis County Police’s involvement in the killing of unarmed teenager Michael Brown in Ferguson, Mo, there was a DDoS (Distributed Denial of Service) attack on the police Web site, which brought down their systems for several days. At the same the attackers managed to hack into the St. Louis County Police network, and gained access to dispatch tapes related to the day of the shooting, which they then uploaded to YouTube.
Nation states, too, have been shown to be testing their muscles with target range tests. The first signs of cyber warfare is likely to be large scale DDoS against a target country’s infrastructure. Estonia, for example, whose infrastructure was disabled for several days in 2007 following a cyber attack, recently looked at moving copies of government data to the UK for protection. As most countries are now highly dependent on their Internet infrastructure, a DDoS against the critical national infrastructure could cause the whole infrastructure to fall like a line of dominoes.
Where is DDoS coming from?
While firewalls can often filter for TCP-sourced connections, the ones based on connection-less protocols such as UDP, DNS and NTP are still the top vectors for attacks, as they are difficult to block:
An example DNS reflection attack (as illustrated below), and where a malicious source (eg 126.96.36.199) makes a request to a DNS server for a look-up on a domain name (such as “intel.com”). The requested IP address will be define as the target address (188.8.131.52), so that the DNS server will send the request to the target. If there are enough DNS requests, the target server will be swamped by DNS traffic.
The targets for DDoS are often related to those industries where a good quality of service is required for their operation. At the top as a target are the companies who often require high levels of availability, such as with the gaming industry, ISPs and the finance industry:
While, in 2017, the US was down in terms of DDoS, they were very much leading the way in Web application attacks, and with the US, The Netherlands and China in providing around half of all Web attacks:
And for targets it seems that the US, Brazil and the UK are the most popular countries:
Operation Power Off is just one example of law enforcement fighting back against on-line criminality, and all they did was to take over the domain name. One surprising thing is that the site existed in plain sight on the Web, and was actually one of the Top 200K sites on the Internet. Whether the operation will have an effect on DDoS will yet to be seen, and it will be seen if the criminal activity just moves to the Dark Web.