DDoS, Botnets, Phishing and RATs – the Cyber weapons and army of choice

Introduction

The Internet was conceived as a distributed network where there were multiple routes that data packets can take to get to the destination. It was also created without the controls of any organisation or government, and thus has been difficult to regulate. The strength, of course, is that there is access to content from around the World, without the control of governments on its access. Within any political agenda, there are those, especially at the extremes of the policital divide, those who want to limit access to content which they see as dangerous. Governments have generally controlled the access to information by monitoing their physical borders, in order to limit access to content which could do damage to the national state. The openness of the Internet, though, can also expose organisations to large-scale cyber threats.

Cyber Attacks on the Finance Industry

The problem around the openess of the Internet was highlighted last week by the US authorities who identified that there was a wave of cyber attacks on American financial institutions, including JPMorgan Chase, with the intention to either steal data or disrupt their operation. Previous attacks focused on Goldman Sachs, Morgan Stanley, Bank of America, Citigroup and Wells Fargo.

As the finance industry becomes more dependent on its information infrastructure, the risks to these organisations, and to the world economy also increase. In times-gone-past, the finance industry used dedicated leased lines for their communications, but these are expensive, and many organisations have move to use the Internet for their communications, and even to the public cloud infastructure to store and process their transactions. Often, though, they use encrypted channels to transmit data over public networks, but it is their connections to the Internet that can provide a hook for attacks.

The US Treasury, as has the Bank of England, have identified that cyber threats are a key focus, and that organisations need to work together to defend against a range of threats, including from foreign governments, such as one theory related to retaliation of the Russian government against US sanctions over the crisis in Ukraine. Other possible motivations focuses on cyber criminals and hacktivists.

External Exposure

Whenever an organisation connects to the Internet, it automatically is exposed to an external threat. This could just be a little touch-point, but it gives a point of attack against the organisation. These touch-points are addressable through a public IP address, and ever system that goes on-line requires a public IP address, so although organisations can hide away much of their infrastructure, they must allow some network traffic to come though, and the challenge remains as to how to allow network traffic out, and only allow the validate data back in.

With the Internet, we now have major infrastructure of zombie agents, who can be taken control of, and lead an attack any organisation or defence infrastructure of the zombie master’s choice. If we add in the possibility of using The Onion Routing (TOR) network, there are many opportunities for cyber warfare by proxy.

The attack against the infrastructure of an organisation with DDoS is only one method that can be used to disrupt its operations. Other recent attacks have focused on external systems, such as related to the domain name registrar, the Domain Name Service (DNS), or any other part of the critical infrastructure.

DDoS and Botnets

This year (2014) has actually seen more DDoS attacks than ever before, with a doubling of the high-end attacks over the year, and with over 100 attacks peaking at more than 100Gbps. The current highest attack was against a Spanish site, where the NTP (Network Time Protocol) was used to bombard the Web infrastructure. With this the intruder makes requests from compromised hosts to a NTP server for the current time, but uses the destination target as the return address for the request. Overall the protocols used on the Internet are not designed with security in mind, thus it is possible to use a different destination address to the one that actually made the request. This specific attack peaked at 154.69Gbps, which is more than enough to bring any network down. The key target is to exhaust networked resources, such as the interconnected devices, the bandwidth for the connections to the Internet, and the CPU of the servers.

The reason that DDoS is often successful is three-fold:

  • Difficult to differentiate between good and bad traffic. Overall the Internet has been created by some extremely simple protocols, which were not designed with security in-mind. Thus it is extremely difficult to differentiate good traffic from bad traffic. Normally organisations throttle back when they are under attack, by not accepting new connections, and waiting to the existing connections have been broken.
  • Tracks are obfuscated. With reflect attack, the target becomes an intermediate device, where it is difficult to trace the actual source of the attack. With networks such as Tor, the intruder can further hide their tracks.
  • Zombie nodes used in the attack. There are many compromised hosts on the Internet, including those compromised with the Zeus botnet. Each of these can be controlled, and used to attack the target.

DDoS is now often used as a method of protest such as against the St. Louis County Police’s involvement in the killing of unarmed teenager Michael Brown in Ferguson, Mo, there was a DDoS (Distributed Denial of Service) attack on the police Web site, and which brought down the attack for several days. Overall it made a strong statement, and which the authorities could do little about it. Along with this, the group responsible, who declared links to Anonymous, outlined that they had hacked into the St. Louis County Police network, and gained access to dispatch tapes related to the day of the shooting, which they then uploaded to YouTube.

Domain Name Registrar compromise

On 22 June 2014, the SEA (Syrian Electronic Army) showcased how it was possible to compromise a key element on the trusted infastruture (by changing the IP address mapping for the domain for Reuters), and used this to display a page which stated:

Stop publishing fake reports and false articles about Syria!UK government is supporting the terrorists in Syria to destroy it. Stop spreading its propaganda.

The target, though, was not the Reuters site, but on the content it hosted, and which is used by many other media outlets. This has happened in other related hacks on sites, such as with the New York Times, where the SEA went after the domain name servers of the New York Times and Twitter, though the registry records of Melbourne IT. Thus when a user wanted to go to the New York Times site, they were re-directed to a page generated by the SEA.

In the case the web advertising site Taboola was compromised, and which could have serious consequences for their other clients, who include Yahoo!, the BBC and Fox News. With the increasing use of advertising material on sites, it will be great worry to many sites that messages from hacktivists could be posted through them. Previously, in 2012, Reuters was hacked by the SEA (Syrian Electronic Army) who posted a false article on the death of Saudi Arabia’s foreign minister Saud al-Faisal.

In a previous hack on The Onion, the SEA used one of the most common methods of compromise: a phishing email. With this a person in the company clicked on the malicious link for what seemed to be a lead story from the Washington Post story. Unfortunately it re-directed to another site and then asked for Google Apps credentials. After which, SEA gained access to the Web infastructure and managed to post a story.

It is possible that this attack on Reuters is based on this type of compromise, as it is fairly easy to target key users, and then trick them into entering their details. Often the phishing email can even replicate the local login to an intranet, but is actually a spoofed version. In the case of The Onion, SEA even gained access to their Twitter account.

In classic form, The Onion, on finding the compromise, posted and article leading with:

Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Death At Hands of Rebels.”

While it took a while for The Onion to understand what had happened on their network, Reuters detected the compromise, and within 20 minutes the content had been fixed.

RATs

The external threats typically involve attacking the information infastructure and can be seen from network traffic coming into the network. At present there are a whole host of security products and devices which aim to protect the infastructure against the attacks, but the preferred option for an intruder is to get over the external security defence, and setup a hook within the network – and become an insider threat.

Sometimes the threats are thus both internal and external, such as where the Syrian Electronic Army (SEA) focusing on communications websites, such as Forbes and, possibly, CENTCOM, where as the The Syrian Malware Team (STM) has been using a.NET based RAT (Remote Access Trojan) called BlackWorm to provide a method of gaining a hook into the organisation. Once an intruder is within an organisation, the firewall can have little effect on their operations. The STM team seems to be pro-Syrian government, such as with banners featuring Syrian President Bashar al-Assad.

Conclusions

Like it or not, we are moving to the point where we are becoming increasingly dependent on the Internet, and it has not been constructed in a way which supports defence mechanisms that national border used to provide us. The threats to our organisations and critical infrastructure increases by the day, and tools available to adversaries are in the hands of anyone who wants them. At one time an attack on a nation state required considerable investment, in order to build an army and get some weapons. But now there is a zombie army already to be taken over on the Internet, and where the tools are available as source code, which can be easily changed and moved to places that makes it difficult for law enforcement professionals to get access to.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s