A roundup of attack activity, vectors and those responsible, based on PLXSert/CSIRT advisories issued in recent weeks:
DD4BC: Operation Update and FAQ
DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.
RIPv1 Reflection DDoS Making a Comeback
Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.
SOTI Security Series: Magnified View of DDoS Attack Types and Industry Verticals
In Akamai's most recent SOTI (State of the Internet) Security Report (Download the Q1 2015 report here), two areas of research focused on the most frequent attack types by target industry, and DDoS attack distribution between Q1 2014 and the same period a year later. Since the report's release, we've delved deeper into the data and came up with two charts showing a more granular view based on Fig. 1-4 and 1-7 within that report. The first graph highlights each attack vector within the DDoS realm and lists the percentage breakdown of most popularly-used attacks against a certain industry.
Security Bulletin: Third-Party Plugins Ripe for Attack
In a new bulletin released this morning, Akamai researchers outlined a threat in which malicious actors use vulnerabilities in third-party plug-ins to target the large websites that utilize them. Such exploits require little technical skill and are highly effective. Instead of targeting a high-traffic website directly, attackers simply target the third-party advertising company, content network or provider used by the site.
CSIRT Advisory: Mass Website Defacements
Akamai has seen multiple media reports where a group will claim to have hacked hundreds or thousands of sites in a single night. The intent is to instill a sense of widespread unease to the casual observer. When we look a little closer, we see that there may be more to it. One can rightly assume that many of these have been done through a type of automation. But if we look even closer, we see something else interesting about the attacks.
DDoS Agents Target Joomla, Other SaaS Apps
A new attack threatens enterprises and Software-as-a-Service (SaaS) providers: chaotic actors using Joomla servers with a vulnerable Google Maps plugin installed as a platform to launch DDoS assaults. The attack technique was discovered by researchers from Akamai's Prolexic Security Engineering & Research Team (PLXsert), working alongside PhishLabs' Research, Analysis, and Intelligence Division (R.A.I.D).