RDOS Attack On The NZX And Other High-profile New Zealand Sites

Over the past week the DDoS attacks on the NZX and other New Zealand

businesses have been the focus of our news stories. Many media organizations

have sought the opinions of “experts”, often from universities, who have provided

lots of speculation but very little information. As cybersecurity specialists

Darkscope is providing information that might help the media and the New

Zealand public better understand this situation.

DDoS (Distributed Denial of Service) attacks fell in volume year on year from 2016

to 2018 by jumped 84% in Q1 2019[1]. The new attacks lasted longer - typically more

than an hour - as they are more complex and include new attack vectors (see

below) which defeat the existing defensive systems typically deployed to reroute

and stop them. These attacks come with a ransom demand before being

deployed, hence RDoS (Ransom Denial of Service) attacks.

In 2019 the attacks targeted financial service organizations, payment,

entertainment and retail sectors around the world, including South America,

Africa, Northern Europe and parts of Asia. They are credited to the Russian cyber

espionage group “Fancy Bear”[2] who demanded a bitcoin ransom prior to the

attack being launched. This is their message:

“We are the Fancy Bear and we have chosen [Victim] as target for our next DDoS

attack. Please perform a google search for ‘Fancy Bear’ to have a look at some of

our previous work.” In the note, the attackers present a deadline after which a

major DDoS attack will occur if no payment is made. The ransom increases daily.

On sending their threat and as proof of their intentions and capabilities, the

attackers initiate a small half-hour attack ranging from 40 to 60 Gbps, on a

specifically chosen IP address belonging to the victim’s network.

One main difference with these attacks is that they are not aimed at the

organization’s homepage, but target areas in the corporate IT infrastructure which are often inadequately protected. These include original IP addresses and internal

servers. Because of this targeting, companies can be defenceless against the

attacks even if they have implemented DDoS protection, as we have seen with

NZX.

The attackers are using at least eight vectors to launch DDoS attacks and amplify

the disruption, including two relatively new ones, Web Service Dynamic Discovery

(WSD) and Apple’s Remote Management Service (ARMS). WSD as a DDOS attack

vector has only been known about since the beginning of 2019. General

awareness of its effect was not understood until Q3 2019 when details emerged

that the attackers had employed this new attack vector into their toolkit. When implemented these two vectors can amplify the intensity of the attack up to 35

times.

Other vectors include Simple Service Discovery Protocol (SSDP), Network Time

Protocol (NTP), Domain Name System (DNS), Lightweight Directory Access

Protocol (CLDAP), SYN and Internet Control Message Protocol (ICMP).

When all eight vectors are deployed together, the attack is very difficult to stop

even with the best defensive systems, as we have seen with the attacks on the

NZX.

It is unclear whether the attacks on the NZX, Stuff and Radio NZ sites are from

Fancy Bear. In fact, it is unlikely as these attacks do not match Fancy Bear’s

typical behaviour. To date, the attacked organisations and the GCSB are silent on whether ransoms have been demanded or paid.

Darkscope’s experience through daily monitoring millions of internet sites and

dark web activity is that these types of attack are often geographically clustered.

We see similar attacks occurring and recurring in one country before moving to

the next. What is clear is that this new form of attack is being targeted at New

Zealand organisations and we should expect this to continue for some time to

come.

[1] Kaspersky Labs report: “DDoS Attacks in Q1 2019” https://securelist.com/ddos-report-q1-2019/90792/

[2] Fancy Bear is also known as APT28 by Mandiant; Pawn Storm, Sofacy Group by Kaspersky; Sednit, Tsar Team by FireEye; and STRONTIUM (by Microsoft is a Russian cyber espionage group.

© Scoop Media