September 21, 2016 By Dave McMillen 3 min read

The dust, waves and jubilation have settled on the sports festivities of this past summer. Since we’re in the business of cybersecurity, let’s reflect on one of the malicious activities that attempted to derail focus from this spirited event.

Going into the games, many analysts expected the event to be marred by cybercriminal activity spanning multiple types of network attack vectors. A reported attack by cybercrime group Anonymous seems to have confirmed those fears. Perhaps the most concerning part of this attack is the development of a custom tool that enables bad actors to conduct distributed denial-of-service (DDoS) attacks. Are targeted tools the next big concern for those in charge of securing high-profile, global events?

Anonymous Tip

The first phase of the DDoS attacks primarily focused on several targets within Brazil. According to HackRead, the targets included the official websites of the Brazilian federal government, the state government of Rio de Janeiro, the Ministry of Sports and others. The second phase emphasized the retrieval of financial data and login credentials belonging to organizations such as the Brazilian Confederation of Modern Pentathlon, Brazilian Handball Confederation, Brazilian Confederation of Boxing and Brazilian Triathlon Confederation.

According to research by IBM X-Force, Anonymous posted a spreadsheet of this information to its private Internet Relay Chat (IRC) channel, alongside hashed passwords corresponding to registered users of all these sites. Anonymous tweeted about its website takedown initiative and posted the results on its Facebook page.

Takedown Tools

In the old days, users within the anonymous IRC channels had to use a tool called Low Orbit Ion Cannon (LOIC) to join coordinated DDoS attacks. The LOIC tool is connected to IRC in a way that enables remote control of its activity. Along with a capability called hivemind mode, computers equipped with LOIC can behave as part of a large botnet. That’s how IRC channel operators were able to quickly take down targeted websites.

The LOIC tool’s unique capabilities also came with some interesting insights. For example, anyone could login to an Anonymous Operations channel to see how many bots were in the hive. This allowed channel operators to tout the level of strength they had for a DDoS attack when they threatened a victim.

DDoS for Dummies

For their DDoS endeavors against the global sporting event, Anonymous operators took a different path. The group posted a link to another custom tool to its channel, which is part of the CyberGuerrilla IRC network, as well as on its Facebook and Twitter feeds. The tool runs on multiple Windows platforms backboned by Python.

To enable participants to join the attacks, Anonymous included instructions on how to anonymize end user connections while performing DDoS attacks against predefined targets. Users accessed the channel to look for any updates to the target list before joining the DDoS attacks.

Taking a deeper look at the tool, we found an executable file simply called ddos.exe, along with a library of Python-compiled bytecode files that allow for speedy execution. We also found several batch files that simply contained the target IPs of the intended victims. Although the tool itself contains a hardcoded list of targets, the list could be altered with a simple edit of the batch files.

Figure 1. Example contents of tool package (Source: IBM X-Force)

Once a target is selected and the attack is initiated, the tool spawns 9,000 individual attack instances and continues the DDoS until the participating Anonymous end user issues a “stop all” command. This tool also has built-in Tor capability. Unlike LOIC, Anonymous’ tool doesn’t report the volume of simultaneous attackers, making it impossible to tell how large the attack base is at any given time.

DDoS Mitigation

Anonymous includes a warning in all its public communications and threats: “Expect Us.” Since Anonymous is capable of significant, large-scale attacks, threats from its operations center should be taken seriously. However, your DDoS mitigation strategy should be an ongoing activity, not based around one particular campaign.

Organizations can proactively defend against DDoS attacks by staying on top of software updates and patches, implementing intrusion prevention systems (IPS), ensuring proper configuration of firewalls and access control lists, installing managed security solutions to stop DDoS traffic in its tracks and establishing a cohesive incident response plan.

Test your protection and your team’s response capabilities by simulating DDoS attacks via stress tests. Regular attack simulations allow companies to measure reaction and protection levels within a controlled environment, understand the capacity of their resources and prepare a speedy recovery from an attempted takedown.

Read the complete IBM research paper: Extortion by distributed denial of service attack

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today