The dust, waves and jubilation have settled on the sports festivities of this past summer. Since we’re in the business of cybersecurity, let’s reflect on one of the malicious activities that attempted to derail focus from this spirited event.
Going into the games, many analysts expected the event to be marred by cybercriminal activity spanning multiple types of network attack vectors. A reported attack by cybercrime group Anonymous seems to have confirmed those fears. Perhaps the most concerning part of this attack is the development of a custom tool that enables bad actors to conduct distributed denial-of-service (DDoS) attacks. Are targeted tools the next big concern for those in charge of securing high-profile, global events?
The first phase of the DDoS attacks primarily focused on several targets within Brazil. According to HackRead, the targets included the official websites of the Brazilian federal government, the state government of Rio de Janeiro, the Ministry of Sports and others. The second phase emphasized the retrieval of financial data and login credentials belonging to organizations such as the Brazilian Confederation of Modern Pentathlon, Brazilian Handball Confederation, Brazilian Confederation of Boxing and Brazilian Triathlon Confederation.
According to research by IBM X-Force, Anonymous posted a spreadsheet of this information to its private Internet Relay Chat (IRC) channel, alongside hashed passwords corresponding to registered users of all these sites. Anonymous tweeted about its website takedown initiative and posted the results on its Facebook page.
In the old days, users within the anonymous IRC channels had to use a tool called Low Orbit Ion Cannon (LOIC) to join coordinated DDoS attacks. The LOIC tool is connected to IRC in a way that enables remote control of its activity. Along with a capability called hivemind mode, computers equipped with LOIC can behave as part of a large botnet. That’s how IRC channel operators were able to quickly take down targeted websites.
The LOIC tool’s unique capabilities also came with some interesting insights. For example, anyone could login to an Anonymous Operations channel to see how many bots were in the hive. This allowed channel operators to tout the level of strength they had for a DDoS attack when they threatened a victim.
DDoS for Dummies
For their DDoS endeavors against the global sporting event, Anonymous operators took a different path. The group posted a link to another custom tool to its channel, which is part of the CyberGuerrilla IRC network, as well as on its Facebook and Twitter feeds. The tool runs on multiple Windows platforms backboned by Python.
To enable participants to join the attacks, Anonymous included instructions on how to anonymize end user connections while performing DDoS attacks against predefined targets. Users accessed the channel to look for any updates to the target list before joining the DDoS attacks.
Taking a deeper look at the tool, we found an executable file simply called ddos.exe, along with a library of Python-compiled bytecode files that allow for speedy execution. We also found several batch files that simply contained the target IPs of the intended victims. Although the tool itself contains a hardcoded list of targets, the list could be altered with a simple edit of the batch files.
Figure 1. Example contents of tool package (Source: IBM X-Force)
Once a target is selected and the attack is initiated, the tool spawns 9,000 individual attack instances and continues the DDoS until the participating Anonymous end user issues a “stop all” command. This tool also has built-in Tor capability. Unlike LOIC, Anonymous’ tool doesn’t report the volume of simultaneous attackers, making it impossible to tell how large the attack base is at any given time.
Anonymous includes a warning in all its public communications and threats: “Expect Us.” Since Anonymous is capable of significant, large-scale attacks, threats from its operations center should be taken seriously. However, your DDoS mitigation strategy should be an ongoing activity, not based around one particular campaign.
Organizations can proactively defend against DDoS attacks by staying on top of software updates and patches, implementing intrusion prevention systems (IPS), ensuring proper configuration of firewalls and access control lists, installing managed security solutions to stop DDoS traffic in its tracks and establishing a cohesive incident response plan.
Test your protection and your team’s response capabilities by simulating DDoS attacks via stress tests. Regular attack simulations allow companies to measure reaction and protection levels within a controlled environment, understand the capacity of their resources and prepare a speedy recovery from an attempted takedown.
Read the complete IBM research paper: Extortion by distributed denial of service attack