Akamai Diversity

The Akamai Blog

DD4BC Operation Profile [Medium Risk]

Update: In an earlier version of this bulletin, we discussed how chaotic actors were exploiting Google services as part of their operations. Some have misconstrued it as Google backing a botnet. To be clear, Google has no part in this activity, and certainly does not condone such activity.

DD4BC, a malicious group responsible for several Bitcoin extortion campaigns last year, is expanding its extortion and distributed denial of service (DDoS)
campaigns to target a wider array of business sectors. In recent days, two Akamai customers have fallen into its crosshairs.

Akamai's Prolexic Security Engineering and Research Team (PLXsert) has conducted new research into DD4BC in recent weeks.

DD4BC appears to use Google IP address ranges, and in some cases AppEngine instances, in its attacks. It appears to use common UDP reflection DDoS attack techniques, as well as SYN floods that spoof Google crawler IP addresses, to mask the malicious traffic.

In one threat, DD4BC claimed it had the firepower to launch 400+ Gbps DDoS attacks, though there is no concrete proof it could carry out an assault of that size.

Late last year, the group repeatedly tried to blackmail Bitcoin exchanges and gaming sites - threatening victims with DDoS attacks in order to extort bitcoins.

Campaigns typically consisted of an email informing the victim that a low-level DDoS attack was underway against the victim's website. Emails explained that the DDoS activity could be observed in server logs at low levels in order to not interrupt the victim's operations. Following this explanation, DD4BC demanded a ransom paid in bitcoins in return for protecting the site from a larger DDoS attack capable of taking down the website.

What You Need to Know

  • DD4BC is responsible for several extortion campaigns that threaten DDoS attacks.
  • Earlier attacks focused on businesses that would avoid reporting the attacks to law enforcement.
  • Recent attacks have expanded to target legal enterprises.
  • The group is aware when would-be victims change their IP addresses to defend themselves
  • The group's objective is to obtain bitcoins.
  • Threatening emails warn the victim that a site is vulnerable to a DDoS attack and offers to provide info on setting up better DDoS protection in exchange for a bitcoin payment.DD4BC is likely using publicly available tools to launch attacks.
  • The IP addresses of some attack sources have been publicized and are included in the PLXsert bulletin.
  • The attack vectors have included NTP flood, CHARGEN attack, SSDP flood DDoS attacks and sample payloads are provided in the PLXsert bulletin.
  • Some of the affected business sectors are hosting, domain name services (DNS), email services, high-tech consulting and services, and Software-as-a-Service enterprises
  • The attacks are likely to be expanded to other verticals, particularly those susceptible of financial loss due to downtime.PLXsert predicts this type of activity will increase due to copycats.

Download the full advisory here.