A group of extortionists claiming to be the Russian APT group Fancy Bear launched a ransom denial of service (RDoS) campaign against numerous industry sectors earlier this month, demanding a payment of 2 Bitcoin to stop bombarding victims with amplified traffic.
In all likelihood, the attackers are not truly members of a Russian intelligence agency’s elite hacking unit, but rather are using the Fancy Bear moniker to instill fear. Still, they do have genuine DDoS capabilities, according to a pair of reports on the campaign, from Radware and Link11.
“The group carrying out the recent wave of RDoS attacks under the name Fancy Bear are currently launching large scale, multi-vector demo DDoS attacks when sending victims the ransom note,” warns an alert from Radware’s Emergency Response Team (ERT).
The two reports different in their descriptions of the campaign’s victims. According to Radware, the attacks have targeted financial service organizations around the world, including South America, Africa, Northern Europe and parts of Asia. Link11 meanwhile, has reported that companies in the payment, entertainment and retail sectors have been victimized.
“We are the Fancy Bear and we have chosen [Victim] as target for our next DDoS attack,” the ransom note states. “Please perform a google search for ‘Fancy Bear’ to have a look at some of our previous work.”
In the note, the attackers present a deadline at which time a major DDoS attack will occur if no payment is made. For each day there is no response, the price goes up one additional bitcoin. As of Oct. 28, 2 Bitcoin equals roughly $18,880 U.S.
As proof of their intentions and capabilities, the attackers, upon sending their threat, initiate a small half-hour attack ranging from 40 to 60 Gbps, on a specifically chosen IP address belonging to the victim’s network.
“A notable feature of these attacks is that they are not aimed at the target organization’s homepage, but at areas in the corporate IT infrastructure which are often inadequately protected,” states the report from the Link11 Security Operation Center (LSOC). “These include, for example, original IP addresses and original servers. Even if companies have implemented DDoS protection, they can be defenseless against the attacks.”
“LSOC advises all companies to check whether their existing DDoS protection covers subdomains and their Origin infrastructure in addition to the domain name,” continues the report. Furthermore, the IP address of their original server should not be accessible directly from the Internet. It is recommended that a Site Shield is implemented for this purpose.”
Only a Site Shield prevents direct access to the company’s Origin infrastructure and protects the origin of websites and applications from overload by DDoS attacks. “
The attackers are using at least eight vectors to launch DDoS attacks and amplify the disruption, including two relatively new ones, Web Service Dynamic Discovery (WSD) and Apple’s Remote Management Service (ARMS).
According to Radware, WSD as a DDOS attack vector “has been known since the beginning of the year,” but no one publicly spoke about it until the third quarter when details began to slowly emerge that bot herders had employed a new attack vector into their amplification toolkit.” ARMS, meanwhile, can provide an amplification factor of 35.5 to 1, the Radware report continues.
Other vectors include Simple Service Discovery Protocol (SSDP), Network Time Protocol (NTP), Domain Name System (DNS), Lightweight Directory Access Protocol (CLDAP), SYN and Internet Control Message Protocol (ICMP).
Both companies have expressed doubt that the attackers are actually Fancy Bear. Radware notes that “RDoS attacks are not the modus operandi for Fancy Bears’ to date,” while Link11 notes that the culprits behind this campaign “have little in common with the Russian hacker group.”
In fact, researchers from both companies have reported that the DDoS campaign is strikingly similar to a previous one launched in the 2016-17 time period.