Echoes of Cyberwarfare

Hacktivist Groups carry out DDoS Attacks against Infrastructure

Since the past year, the Ukraine-Russia conflict has played out in cyberspace as well as on the ground. While some hacktivists took a more practical approach, including GhostSec’s ICS attacks, the attacks tended towards defacement and DDoS campaigns. Hacktivists used defacement manifestos and disruptive DDoS attacks as mediums for their message. Cyble Research and Intelligence Labs (CRIL) has recently covered a similar attack on Bahrain and Israel.

Since January, the hacktivist group ‘Anonymous Sudan’ has initiated several DDoS campaigns against Sweden, Germany, Denmark, and the Netherlands in response to Quran burnings by far-right extremist groups. Additionally, Anonymous Sudan targeted prominent US websites pledging support for Killnet’s previous support for Anonymous Sudan. These included Paypal, Twitter, the CIA, Microsoft, and American Express.

Other groups that recently participated in the DDoS campaigns include Mysterious Team Bangladesh, Killnet, Killmilk, Passion Botnet, Infinity Hackers, Anonymous Russia, and Mysterious Team Bangladesh.
These groups are generally active on Telegram and appear to be affiliated, coordinating their attacks for maximum damage, as seen below:

Figure 1 – Threat Actors claim responsibility for hospital DDoS attack

Killnet, in particular, adamantly attacked the Medical sector, along with US government entities. The groups document their attacks using services like check-host. The hacktivists’ weapon of choice is botnets (also known as stressors or booters), a swarm of devices infected with malware that can carry out phishing, DDoS, and other attacks. Typically, these include insecure IoT devices and machines running unpatched software, which phone home to the attacker’s C&C (Command and Control) servers. These botnets boast the ability to bypass Cloudflare and similar cloud protection services.

Figure 2 – Another DDoS for hire boasting Cloudflare bypass

Currently, several open-source tools and websites exist that exploit misconfigured DNS (Domain Name Server) records to identify a website’s true IP behind the protective CDN, such as crt.sh, Crimeflare, and Cloudmare.

Akamai researchers have identified Killnet’s modus operandi as a two-stage attack:

Stage 1 – Flooding the site with HTTP traffic (Layer 7 attack on websites or APIs), which can bypass CAPTCHA verification of protection services

Stage 2 – A DNS amplification attack, where UDP packets are spoofed with the victim’s IP and sent to DNS resolvers. The DNS resolvers then forward the queries to the website, which causes a deluge of traffic followed by Denial of Service.

Apart from Killnet and the aforementioned groups, CRIL has observed an enterprising threat actor offered a tiered plan, starting at 30 days of five-minute attacks at $30 and ending with a “business pro plan” that costs $150 for 30 days of 25-minute attacks.

Other Threat Actors have found a lucrative business in selling Botnets-As-A-Service, as seen below.

Botnet and DDoS attacks will likely increase in 2023, with a clear dependence on political factors and global events.

Mitigation

Though DDoS attacks are difficult to predict and mitigate, the following measures can be taken:

ISPs can implement ingress filtering and prevent UDP-based amplification attacks by dropping packets with spoofed addresses,
Utilizing a WAF (Web Application Firewall) or DDoS (Distributed Denial of Service) protection service,
Ensuring that production servers are only accessible through VPN
Ensuring that DNS servers do not reveal real IPs behind the protection service,
Redirecting all traffic to go through the WAF,
Rate-limiting traffic, such as simultaneous SYN attacks by hosts which initiate a connection but never complete it, should receive a timeout past a certain period,
Geo-blocking IP ranges that legitimate users would not have,
Considering high-availability designs in development, such as utilizing a CDN or backup servers,
Ensuring site data is backed up.