Akamai Diversity
Home > Web Security

Recently in Web Security Category

DD4BC: Operation Update and FAQ

DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.

In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That's up from the high of 15-20 Gbps observed in early May. (A full history of the group's exploits and firepower can be found in this advisory from April.)

 

Below are the most commonly asked questions we've received from customers, along with some answers.

What is new since the last update?

The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company's reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack. 

As a professional marketer, it can be a little ironic how often you're frustrated when people you care about are influenced by marketing in ways that can't possibly be good for them. Everybody knows that marketers do nothing but lie all day - or "spin" as they call it. And as far as the profession goes, there's probably some truth to that. But there are plenty of marketers out there that have a good deal of integrity, and there are few things more frustrating than when people fall for marketing "spin".

OpenSSL Vulnerability (CVE-2015-1793)

Akamai is aware of the OpenSSL vulnerability addressed in OpenSSL versions 1.0.2d and 1.0.1p on Thursday, July 9, 2015. Akamai does not use the vulnerable versions of OpenSSL and is therefore not affected.

The OpenSSL team advisory outlines the vulnerability and fixes. The advisory states:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue impacts any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

The vulnerability was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project, and released by OpenSSL on July 9th, 2015.

Though Akamai is not affected, we recommend that if you run OpenSSL in your origin infrastructure, you consult your security advisory team to review the vulnerability and upgrade your software and/or address the vulnerability as necessary.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject. You may also contact your Akamai Representative, or call Customer Care at 1.877.4.AKATEC or 1.617.444.4699.

RIPv1 Reflection DDoS Making a Comeback

Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.

RIPv1 was first introduced in 1988 under RFC1058, which is now listed as a historic document in RFC1923. The historic designation means the original RFC is actively deprecated. One main reason for this is that RIPv1 only supports classful networks. So if the network advertised by RIPv1 happens to be a class A network such as 10.1.2.0/24, this will be sent in an advertisement as 10.0.0.0/8. This among other things, further limits the usefulness for RIPv1 as a viable option for internal networks much less the internet.

Akamai is aware of a recently disclosed vulnerability in OpenSSL that can be exploited to perform denial of service attacks against any system which processes public keys, certificate requests, or certificates.

The announcement for CVE-2015-1788 (discovered by Joseph Barr-Pixton and fixed by Andy Polyakov of the OpenSSL development team) and CVE-2015-1789 (discovered independently by Robert Swiecki and Hanno Böck) can be found here. The fix was developed by Emilia Käsper of the OpenSSL development team.

In Akamai's most recent SOTI (State of the Internet) Security Report (Download the Q1 2015 report here), two areas of research focused on the most frequent attack types by target industry, and DDoS attack distribution between Q1 2014 and the same period a year later.


Since the report's release, we've delved deeper into the data and came up with two charts showing a more granular view based on Fig. 1-4 and 1-7 within that report.

By Richard Willey, Senior Program Manager - Adversarial Resilience


Akamai maintains a database that records information about different attacks it has observed.  The ongoing analysis of that database is captured each quarter in Akamai's State of the Internet Security Report. (Download the Q1 2015 report here.) But even after a report is released, researchers continue to dig deeper into the data and provide updates.


To that end, this article describes an exploratory data analysis exercise of attacks captured by PLX Routed and Proxy DDoS solution scrubbing centers between Q1 2013 and Q1 2015.


Akamai, Trustwave Form Strategic Alliance


Akamai has announced a new strategic alliance with Trustwave, designed to help businesses more effectively fight myriad threats through vulnerability assessment, denial-of-service prevention and incident response.
 
From the press release:

"Through this partnership, Akamai and Trustwave plan to make available to their respective customers select technology solutions and security services from each company's portfolio. The strategic relationship is intended to allow both companies to provide a broader set of cyber security protections to meet a wide range of customer requirements in a constantly changing cyber security threat landscape."

In a new bulletin released this morning, Akamai researchers outlined a threat in which malicious actors use vulnerabilities in third-party plug-ins to target the large websites that utilize them. Such exploits require little technical skill and are highly effective.

Instead of targeting a high-traffic website directly, attackers simply target the third-party advertising company, content network or provider used by the site.

High-profile sites are common targets and their security posture is tougher than the average site. But they also use third-party content providers whose security is less than ideal. Those who manage a major website put a lot of effort into fortifying the front entrance. But the third-party content they use are like open windows in the back of the building.

Akamai CSIRT Manager Mike Kun described the problem in this podcast recently.

In the past years we have seen an increase in distributed attacks against web applications. By using many attacking resources to target the same destination, attackers are obscuring their identity while boosting attack bandwidth, placing a greater challenge to defensive forces. Most of the distributed attacks use "volumetric" methods such as Distributed Denial of Service (DDoS) or brute force techniques such as "slow and low" to attack web applications.