Embed Size (px)
Citation preview
1
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
1
1.1 / OVERVIEW / DD4BC, a malicious group responsible for several Bitcoin extortion campaigns last year, is expanding its extortion and distributed denial of service (DDoS) campaigns to target a wider array of business sectors. In recent days, two Akamai customers have fallen into its crosshairs. Akamai’s Prolexic Security Engineering and Research Team (PLXsert) has conducted new research into DD4BC in recent weeks.
DD4BC appears to use Google IP address ranges, and in some cases AppEngine instances, in its attacks. It appears to use common UDP reflection DDoS attack techniques, as well as SYN floods that spoof Google crawler IP addresses, to mask the malicious traffic.
In one threat, DD4BC claimed it had the firepower to launch 400+ Gbps DDoS attacks, though there is no concrete proof it could carry out an assault of that size.
Late last year, the group repeatedly tried to blackmail Bitcoin exchanges and gaming sites – threatening victims with DDoS attacks in order to extort bitcoins. Campaigns typically consisted of an email informing the victim that a low-level DDoS attack was underway against the victim's website. Emails explained that the DDoS activity could be observed in server logs at low levels in order to not interrupt the victim's operations. Following this explanation, DD4BC demanded a ransom paid in bitcoins in return for protecting the site from a larger DDoS attack capable of taking down the website.
The targets seemed to have been chosen for their reluctance to involve law enforcement – entities associated with illegal gaming activity or unregulated digital cryptocurrencies, commonly referred to as bitcoins. Given the illegal and/or unregulated nature of their activities, the sites typically do not want to invite the scrutiny of law enforcement.
But given the new threats against Akamai customers, who operate in legal and legitimate business operations, DD4BC appears to be more willing to go after bigger fish – even if it brings the attention of law enforcement.
Based on UDP reflection traffic originating from Google IP address ranges, in the latest wave of DD4BC activity, attackers appear to be targeting reflectable services deployed on Google’s AppEngine platform. The attackers may be spinning up Google trial services, deploying reflectable services, and then leveraging the services in their reflection DDoS attacks. This theory is based the observation of exploitable services disappearing after attacks have run their course.
1
SECURITY BULLETIN: DD4BC OPERATION PROFILE
!"#$#%&$!"#$
'()&$%&''(
)*+,-./01./0"!2
RISK FACTOR - MEDIUM
In an earlier version of this bulletin, we discussed how chaotic actors were exploiting Google services as part of their operations. Some have misconstrued it as Google backing a botnet. To be clear, Google has no part in this activity, and certainly does not condone such activity.
2
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
2
PLXsert has identified about four campaigns against seven Akamai customers where legitimate Google crawler IP addresses were spoofed in SYN floods that helped mask the malicious traffic but could also have long-term impacts on businesses’ search engine rankings if long-term IP blocking were applied. Booter and stresser tactics also appeared to be used as weapons in the latest attacks.
The group is aware that would-be victims may change their IP addresses to defend themselves and has threatened to retaliate. One victim received the following message (Figure 1):
!"#$%&'%&()*+(,'--(%./(#0-123(/(!"#$%&0()*(.%40($&$'%($%5(16'40(&.0+(/.(78(9:"('%+/$%/-;23/
Figure 1: DD4BC warned a victim not to change IP addresses
1.2 / SAMPLE EXTORTION CAMPAIGN / In one set of exploits, DD4BC had a clear objective of obtaining Bitcoins from online gaming institutions. As the attackers increased their range of victims, they also increased the price of their ransoms. In emails directed at one particular online gaming institution, the initial ransom was 100 BTC, a market value of about $22,000, much larger than what was requested previously (1-10 BTC).
In an email threat against the two sites, shown in Figure 2, DD4BC wrote, “sites are going under attack unless you pay 10 Bitcoin. Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother.”
3+456/7789:/;<=5/>??8@ABCD5=,-EA45>5=,-B46??8@ABCD5=,-EA45FF/7=B<6;GH+I?=J./)*+,-/!K./0"!2/=B/K628/)L/MH@N<AB6/&<6/77OM/);;):PQ//)R?/,BSI/NHIB/;:T/U-44?E/VR/A=I</4U/5=II,W</X7T/U-44?./,BSI/<W<R/*4II,@-</BG=B/J4H+/VMT/Y,--/IGHB/?4YR/J4H+/-,RZ/B4/*+4B<AB/4BG<+/AHIB45<+IE//MB4**,RD/U4+/R4YE/[4H/G=W</=/U<Y/G4H+I/-<UBE//OR/\<?./)*+/!2./0"!2/=B/868$/TL./7789:/;<=5/>??8@ABCD5=,-EA45F/Y+4B<6//]<--4.//;4/,RB+4?HA</4H+I<-W<I/U,+IB6//GBB*I6^^@-4DIE=Z=5=,EA45^0"!8^!0^??8@A_=R=B45J_4U_=_@,BA4,R_<`B4+B,4R_A=5*=,DREGB5-//GBB*6^^@,BA4,R@4HRBJGHRB<+EA45^@,B=-4EGB5-/
2
3
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
3
3
GBB*6^^A4,RB<-<D+=*GEA45^R<YI^!!18##^R4B4+,4HI_G=AZ<+_D+4H*_,RW4-W<?_,R_<`A4,R_BG<UB_4YR<+_=AAHI<I_AA<?Z_4U_Y,BGG4-?,RD_,RU4//O+/NHIB/D44D-</a7789:b/=R?/J4H/Y,--/U,R?/54+</,RU4E//M4./,BcI/J4H+/BH+RQ//)--/*+,-./0,-1/I,B<I/=+</D4,RD/HR?<+/=BB=AZ/HR-<II/J4H/*=J/!""/9,BA4,RE//T=J/B4/!(@GdL81?Hd0e0B9f0gh\94N'52U(M4L'*//T-<=I</R4B</BG=B/,B/Y,--/R4B/@</<=IJ/B4/5,B,D=B</4H+/=BB=AZ./@<A=HI</4H+/AH++<RB/X7T/U-44?/*4Y<+/,I/8""_2""/%@*I./I4/?4RSB/<W<R/@4BG<+E//&,DGB/R4Y/Y</=+</+HRR,RD/I5=--/?<54RIB+=B,W</=BB=AZ/NHIB/4R/J4H+/*+,-./0,-1$/74RSB/Y4++J/,B/Y,--/IB4*/,R/!/G4H+EVBSI/NHIB/B4/*+4W</BG=B/Y</=+</I<+,4HIE//\</=+</=Y=+</BG=B/J4H/*+4@=@-J/?4RSB/G=W</!""/9;:/=B/BG</545<RB./I4/Y</=+</D,W,RD/J4H/08/G4H+I/B4/D<B/,B/=R?/*=J/HIE//VBSI/<=IJ/B4/D<B/9;:/U+45/\<@54R<JE/eHIB/<`AG=RD</\Li/B4/\Lf/=R?/5=Z</Y,BG?+=Y=-/+<gH<IB/B4/4H+/9;:/=??+<II/=B/GBB*I6^^Y5`EY5B+=RIU<+EA45^<R_XM^]45<^\,BG?+=Yj//O+/AG<AZ/BG,I/U4+/@<IB/<`AG=RD<+6/GBB*6^^G4YB4@HJ@,BA4,RIE,RU4^//:H++<RB/*+,A</4U/!/9;:/,I/=@4HB/00"/XM7E//VLTO&;)(;6/[4H/?4RcB/<W<R/G=W</B4/+<*-JE/eHIB/*=J/!""/9;:/B4/!(@GdL81?Hd0e0B9f0gh\94N'52U(M4L'*//k/Y</Y,--/ZR4Y/,BcI/J4H/=R?/J4H/Y,--/R<W<+/G<=+/U+45/HI/=D=,RE//\</I=J/,B/@<A=HI</U4+/@,D/A45*=R,<I/,BSI/HIH=--J/BG</*+4@-<5/=I/BG<J/?4RSB/Y=RB/BG=B/BG<+</,I/*+44U/BG=B/BG<J/A44*<+=B<?E/VU/J4H/R<<?/B4/A4RB=AB/HI./U<<-/U+<</B4/HI</I45</U+<</<5=,-/I<+W,A<E//9HB/,U/J4H/,DR4+</HI./=R?/?4RSB/*=J/Y,BG,R/08/G4H+I./-4RD/B<+5/=BB=AZ/Y,--/IB=+B./*+,A</B4/IB4*/Y,--/D4/B4/0""/9;:/=R?/Y,--/Z<<*/,RA+<=I,RD/U4+/<W<+J/G4H+/4U/=BB=AZE//O('/LO&'/;VL'6/VBcI/=/4R<_B,5</*=J5<RBE/T=J/=R?/J4H/Y,--/R4B/G<=+/U+45/HI/<W<+/=D=,RQ//;G=RZ/J4HE/!
Figure 2: A DD4BC email demanding a one-bitcoin ransom from an Akamai customer
4
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
4
4
An online gaming institution warned its customers of the attacks, according to online media as shown in Figure 3.
Figure 3: A published report on DDoS attacks against an online casino group$
1.3 / MIXING THREATS WITH OFFERS OF PROTECTION / PLXsert received several samples of email text used by DD4BC in its latest extortion campaigns. In some of the examples, the emails warn potential victims that their sites are vulnerable to a DDoS attack. The sender then offers to set up better protection in exchange of Bitcoin payments. See Figures 4 and 5.
5
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
5
/Figure 4: A sample email from DD4BC offering protection in exchange for one bitcoin$
EEE/=BB=AZI/=+</I4*G,IB,A=B<?/=R?/B44/IB+4RD/BG=B/V/A=R/@J*=II/=RJ/*+4B<AB,4R/4BG<+/BG<R/T&Od'fV:/l/=R?/,/Y,--/A4IB/J4H/2_!"/P/*<+/54RBGmE/%44D-</=R?/AG<AZ/G4Y/5=RJ/I,B<I/@<G,R?/:-4H?3-=+</=R?/I,5,-=+/IG,BBJ/*+4B<AB,4RI/V/A+=IG<?E/EEE/
Figure 5: Snippet from an email transcript where the malicious actor group asserts the ability to take down even sites with DDoS protection
Figure 6 shows a bitcoin transaction to a known DD4BC bitcoin address.
5
6
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
6
6
Figure 6: A bitcoin transaction to the specified bitcoin address
In some cases, DD4BC offers to cease its attack to give the victim time to read its emails and meet the demands (Figure 7).
3+456/??8@AC4HB-44ZEA45/;46/n/MH@N<AB6/&'6/5*<`EA4/_/77OM/);;):PQ/7=B<6/M=B./!2/(4W/0"!8/!$61K6"$/o"!""//)BB=AZ/B<5*4+=+,-J/IB4**<?/B4/D,W</J4H/B,5</B4/+<=?/<5=,-/=R?/=ABE//[4H/IB,--/G=W</AG=RA</B4/<R?/BG,I/U4+/!/9;:E//VU/R4B./=BB=AZ/+<IB=+BI/,R/!/G4H+/=R?/*+,A</D4<I/B4/0/9;:E/nnn//;46/n/MH@N<AB6/5*<`EA4/_/77OM/);;):PQ/7=B<6/M=B./!2/(4W/0"!8/!168262#/o"!""//]<--4.//;4/,RB+4?HA</5JI<-U/U,+IB6/A4,RB<-<D+=*GEA45^R<YI^!!0K"K^R,B+4D<RI*4+BI_D4<I_*H@-,A_B4_A45@=B_<`B4+B,4R_@-=AZ5=,-_=R?_I-=R?<+/6m//(4Y./B4/@HI,R<II6//LJ//=BB=AZI/=+</I4*G,IB,A=B<?/=R?/B44/IB+4RD/BG=B/V/A=R/@J*=II/=RJ//*+4B<AB,4R/4BG<+/BG<R/pI,Aq/T&Od'fV:/l/=R?/,/Y,--/A4IB/J4H/2_!"/P/*<+/54RBGmE//%44D-</=R?/AG<AZ/G4Y/5=RJ/I,B<I/@<G,R?/:-4H?3-=+</=R?/I,5,-=+/IG,BBJ//*+4B<AB,4RI/V/A+=IG<?E//
7
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
7
7
T=J/5</!/9;:/=R?/J4H+/I,B</,I/r*+4B<AB<?r/U4+/-,U<B,5<E/T=J/B4/9;:/=??+<II6/!10'?X=+ADGP0@=+GZ`D=Ph0fgRAGT@\M9//&,DGB/R4Y/VS5/+HRR,RD/I5=--/=BB=AZ/U4+/!/G4H+/=I/*+44UE//)UB<+/BG=B/V/<`*<AB/J4H+/*=J5<RBE//T-<=I</R4B/BG=B/,U/VS5/R4B/*=,?/Y,BG,R/0/G4H+I./*+,A</Y,--/,RA+<=I</B4/!/9;:/B4/IB4*/=R?/Y,--/Z<<*/,RA+<=I,RD/"E!/9;:/U4+/<W<+J/G4H+/4U/=BB=AZE//;G=RZ/J4HE//
Figure 7: A DD4BC extortion email chain, promising ongoing escalation if the ransom is not paid in time$
1.4 / THREAT COMPONENTS /
• Motivation: DDoS attacks for ransom.
• Objective: Obtain bitcoins as payment. Some of the bitcoin hash addresses are advertised for ransom payment on public forums as a mean of transmitting payments.
• Members: Membership is unknown at this point. However, some of the statements are made using first person expressions.
• Resources: DD4BC is likely using anonymizing network services and anonymous digital crypto currency to evade trace. Matching sources of DDoS activity suggest use of DDoS-for-hire botnets.
• Knowledge source: DD4BC is likely using publicly available tools to launch attacks. The initial assessment of source IPs suggests use of rented botnets from the DDoS-for-hire underground.
• Victimology: The earlier targets were typically unregulated bitcoin exchanges and gaming sites, which are unlikely to reach out to law enforcement for help. More recent attacks now include reputable business operations.
• Typology: Based on available open source intelligence (OSINT), the attacks are only using publicly available DDoS toolkits, plus resources from rented botnets in the underground.
8
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
8
8
1.5 / ATTACK ORIGINS / Some victims publicized the source IP addresses of the DDoS attacks. Figure 8 shows some advertised IP address sources involved in the DDoS attack against Bitalo, as shared on the website bitcointalk.org.
/Figure 8: Disclosure of alleged attack sources from a DDoS campaign against Bitalo
PLXsert matched the advertised sources with known DDoS attack sources. Some of the sources have attacked customers who are under Akamai’s DDoS protection. Figure 9 shows the industries previously targeted by IP addresses that were listed in Figure 8.
/
9
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
9
9
/Figure 9: The bots used in the DD4BC attacks have previously targeted Akamai customers in multiple industries
1.6 / OPERATIONS: SKILLS AND METHODS / Figure 10 shows a bitcoin address, a date of registration in the forum and the last activity time, which dates to November 10, 2014. No information was found on the bitcoin address, however it is very common for malicious actors to create multiple bitcoin addresses and perform multiple transfers. This transaction suggesting DD4BC has received payment for ransom and actively tried to obfuscate the destination of the funds as some of the Blockchain transaction information suggests.
Figure 10: Bitcoin Forum advertisement for DD4BC$
10
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
10
10
It is very common for malicious actors to create multiple bitcoin addresses and perform multiple transfers in order to obfuscate origin and destination of the BTC funds. PLXsert found one of these addresses advertised as a ransom payment address, as shown in Figure 11.
/Figure 11: A DD4BC victim posts information about the attack and ransom demand on October 24, 2014, including the ransom address$
PLXsert found additional activity related to this bitcoin address on November 2 and 3, as shown in Figure 12 and Figure 13. The BTC transactions dated November 2, 2014 show payment and transferring activity to other accounts. It is very likely these malicious actors have already received ransom payments and have actively tried to obfuscate the destinations of these funds, as it shows on the multiple transaction history during Nov. 3, 2014.
11
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
11
11
Figure 12: Bitcoin activity for hash 6JEzTkXGeCFPrCoPo9hnSVZWLHMau31fg for November 2-3, 2014
Figure 13: Subsequent transactions to other bitcoin addresses suggest obfuscation attempts by the malicious actor(s)
1.7 / OBSERVED CAMPAIGNS / PLXsert identified some of the source IP addresses as having participated in previous DDoS attacks, including SYN floods, DNS reflection attacks, NTP floods, CHARGEN attacks, SSDP floods and new DDoS attack campaigns uncovered in recent days against Akamai customers.
Figure 14 highlights payload samples from a DDoS campaign that occurred on April 16, 2015. It was confirmed that DD4BC group was the malicious actor responsible for this DDoS attack.
12
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
12
12
Some details of the attack include the following: • Attack vectors: NTP flood, CHARGEN attack, SSDP flood • Source ports: 123, 1900, 19 • Destination ports: Randomized (based on targeted host)
=== NTP Flood === 16:32:53.174807 IP x.x.x.x.123 > x.x.x.x.777: NTPv2, Reserved, length 440 16:32:53.174816 IP x.x.x.x.123 > x.x.x.x.777: NTPv2, Reserved, length 440 16:32:53.174836 IP x.x.x.x.123 > x.x.x.x.777: NTPv2, Reserved, length 440 16:32:53.174837 IP x.x.x.x.123 > x.x.x.x.777: NTPv2, Reserved, length 440 2015-04-16 16:36:52.564778 IP (tos 0x0, ttl 244, id 28541, offset 0, flags [DF], proto UDP (17), length 468) x.x.x.x.123 > x.x.x.x.777: NTPv2, length 440 Reserved, Leap indicator: clock unsynchronized (192), Stratum 38 (reserved), poll 3s, precision 42 Root Delay: 6.001098, Root dispersion: 0.000000, Reference-ID: 0.0.25.199 Reference Timestamp: 0.000001640 Originator Timestamp: 3740019747.752572894 (2018/07/08 06:22:27) Receive Timestamp: 1.001221120 (2036/02/07 06:28:17) Transmit Timestamp: 0.000000000 Originator - Receive Timestamp: +554947549.248648256 Originator - Transmit Timestamp: +554947548.247427135
=== SSDP Flood === 16:33:09.326321 IP x.x.x.x.1900 > x.x.x.x.80: UDP, length 323 16:33:09.326322 IP x.x.x.x.1900 > x.x.x.x.80: UDP, length 311 16:33:09.326323 IP x.x.x.x.1900 > x.x.x.x.80: UDP, length 307 16:33:09.326329 IP x.x.x.x.1900 > x.x.x.x.80: UDP, length 305 2015-04-16 16:44:40.186132 IP x.x.x.x.1900 > x.x.x.x.53: 18516 updateD% [b2&3=0x5450] [11825a] [12081q] [8242n] [12336au][|domain] ....E..`[email protected]:..<_..L.l.5.L.|HTTP/1.1 200 OKST:urn:dslforum-org:service:WANDSLConnectionManagement:1 USN:uuid:22222222-0000-c0a8-0101-b0b2dc1bf030::urn:dslforum-org:service:WANDSLConnectionManagement:1 Location:http://192.168.1.1:5555/DeviceDescription.xml Cache-Control:max-age=900 Server:Allegro-Software-RomUpnp/4.07 UPnP/1.0 IGD/1.00 Ext: 2015-04-16 16:44:40.186753 IP x.x.x.x.1900 > x.x.x.x.80: UDP, length 294 [email protected]#...._..L.l.P... HTTP/1.1 200 OK Cache-Control: max-age=120 EXT: Location: http://192.168.0.1:65535/rootDesc.xmlServer: UPnP/1.0 MiniUPnPd/1.3 ST: urn:schemas-wifialliance-org:service:WFAWLANConfig:1 USN: uuid:b9474e7e-1dd1-11b2-8f7e-c6b7ce97418a::urn:schemas-wifialliance-org:service:WFAWLANConfig:1
/
13
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
13
13
=== CHARGEN Flood ===
16:33:27.892030 IP x.x.x.x.19 > x.x.x.x.8080: UDP, length 237916:33:27.894008 IP x.x.x.x.19 > x.x.x.x.8080: UDP, length 50616:33:27.894557 IP x.x.x.x.19 > x.x.x.x.8080: UDP, length 695616:33:27.900713 IP x.x.x.x.19 > x.x.x.x.8080: UDP, length 1642
6:33:32.443615 IP x.x.x.x.19 > x.x.x.x.8080: UDP, length 3064....E...8x .y......._..L........ !"#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg!"#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh"#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklm'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno)*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrs-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrst./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstu/0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuv0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwx23456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy3456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl///
Figure 14: Payload samples of the DDoS attack traffic
1.7A / ATTACK DISTRIBUTION BY SCRUBBING CENTER / Figure 15 shows the attack traffic by Akamai DDoS mitigation scrubbing center. Most malicious traffic was mitigated in London, Hong Kong and San Jose, CA.
"/+233456$7,50,+$ Bandwidth/ PPS/
]4RD/P4RD/ 2"!/L@*I/ !!8/P**I/
\=IG,RDB4R./7:/ !E8s/%@*I/ 8!0/P**I/
M=R/e4I</ 8$"/L@*I/ !8"/P**I/
3+=RZUH+B !E0/%@*I/ 10$/P**I/
d4R?4R/ s02/L@*I/ 0!#/P**I/
;4ZJ4/ !EK/%@*I/ 101/P**I/
Figure 15: Attack traffic distribution by Akamai scrubbing center$
14
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
14
14
1.7B / TARGETED INDUSTRIES / A sample set of industry verticals that have been targeted by the collected bots over the course of six months include the following three subsets of high-tech and software companies:
• Hosting, domain name services (DNS), email services• High tech consulting and services • Software-as-a-Service
1.7C / ATTACKING IP ADDRESSES / PLXsert gathered the open source intelligence (OSINT) and identified the attacking IP address attributes shown in Figure 16.
13238 | 5.255.253.51 | 5.255.253.0/24 | RU | ripencc | 2012-09-14 | YANDEX Yandex LLC,RU 15169 | 104.154.38.52 | 104.154.0.0/15 | US | arin | 2014-07-09 | GOOGLE - Google Inc.,US 15169 | 130.211.185.192 | 130.211.0.0/16 | US | arin | 2014-05-12 | GOOGLE - Google Inc.,US 15169 | 146.148.40.57 | 146.148.0.0/17 | US | arin | 2014-03-26 | GOOGLE - Google Inc.,US 15169 | 66.249.69.136 | 66.249.69.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.69.88 | 66.249.69.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.75.104 | 66.249.75.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.75.184 | 66.249.75.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.75.216 | 66.249.75.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.75.88 | 66.249.75.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.79.111 | 66.249.79.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.79.119 | 66.249.79.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.79.127 | 66.249.79.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.79.135 | 66.249.79.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.79.4 | 66.249.79.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 15169 | 66.249.79.95 | 66.249.79.0/24 | US | arin | 2004-03-05 | GOOGLE - Google Inc.,US 36351 | 184.172.15.235 | 184.172.0.0/18 | US | arin | 2010-10-06 | SOFTLAYER - SoftLayer Technologies Inc.,US 36351 | 50.97.173.18 | 50.97.128.0/18 | US | arin | 2011-04-18 | SOFTLAYER - SoftLayer Technologies Inc.,US 55286 | 172.245.55.112 | 172.245.48.0/21 | US | arin | 2013-04-22 | SERVER-MANIA - B2 Net Solutions Inc.,US 62567 | 104.131.204.15 | 104.131.192.0/19 | US | arin | 2014-06-02 | DIGITALOCEAN-ASN-NY2 - Digital Ocean, Inc.,US 62567 | 104.131.213.10 | 104.131.192.0/19 | US | arin | 2014-06-02 | DIGITALOCEAN-ASN-NY2 - Digital Ocean, Inc.,US 62567 | 107.170.150.138 | 107.170.128.0/19 | US | arin | 2013-12-30 | DIGITALOCEAN-ASN-NY2 - Digital Ocean, Inc.,US /
Figure 16: WHOIS data from IP addresses participating in previous attack campaigns
15
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
1.8 / CONCLUSION / The nature of the operation and the successes obtained by DD4BC lead PLXsert to expect the group to continue increasing the range of targets to other verticals, particularly those susceptible of financial loss due to downtime. This modus operandi is similar to what is known as an express kidnapping where criminals simply demand a small ransom that victims or companies can easily pay. The criminals make quick money and the victims are allowed to go on without major damage.
The data suggests the individual or individuals involved in this operation have likely already received payments from the threats made to some victims.
Historically, the verticals may have been selected based on their likely reluctance to involve law enforcement, leaving them the choice of either paying the ransom or seeking DDoS protection services. Some victims have offered bounties to convince others to reveal perpetrators’ identities, but this may be unsuccessful as attempts to bring justice to the malicious actors involved.
However, DD4BC is expanding to targets in more reputable business sectors – including the Akamai customers whose attacks are described in this bulletin, so there is hope that more victims will be forthcoming with law enforcement.
PLXsert predicts this type of activity will increase as copycats enter the game.
15
16
akamai’s [s tate of the internet ] / Security Bul letin BuBul let in
The Prolexic Security Engineering and Research Team (PLXsert) monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps organizations make more informed, proactive decisions.
About Akamai®As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.
Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on !!!"#$#%#&"'(%)*('#+&(,-
©2015 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 04/15.
About Akamai® / As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.!
