Here comes the Dutch Cyber Police … And It’s a Bad Day for Botnets

Here comes the Dutch Cyber Police … And It’s a Bad Day for Botnets

For some reason, the Netherlands seems to be one of the top countries in the world in DDoS Web attacks:

But that could now take a hit, as Dutch police has shutdown a company which controlled IoT botnets, and which used these to create sustained DDoS attacks. This related to a company called KV Solutions BV, and who define themselves as a hosting provider. Law enforcement, though, say that they have been a host site for malware, crypto-mining and botnet control. It is though that KV Solution BV have hosted over 20 different DDoS botnet, and some of these were traced by Bad Packets LLC:

Typically the botnets are created from malware infected IoT devices, such as CCTV cameras, and also on wi-fi routers (including unpatched Netgear and Huawei routers). The most popular infection was the Mirai malware, and its variants (including Fbot and Hakai).

The Dutch police raided the offices of the company on 1 October 2019, and a message soon appeared on Facebook for companies to perhaps erase their data on their servers:

Two people — the owners of the company: Marco B. and Angelo K. — have been arrested, and all their related domain names have been taken down. The company’s public IP address of 185.244.25.0/24 has also been blocked.

DDoS

Few companies know the Internet better than Akamai, and their State of the Internet publications gives a heart beat analysis of the current state of the Internet, and its associated risks. Here is the talk:

We were lucky enough to feature in an Akamai State of the Internet publication for our TFTP Reflection Attack [here], and Akamai’s reports are a must read document [here]. For DDoS, the report, between Q4 of 2016 and 2017:

• A 14% increase in total DDoS attacks.
• A 14% increase in infrastructure-layer (layers 3 & 4) attacks.
• A 4% increase in reflection-based attacks.
• A 22% increase in application-layer attacks DDoS attacks.
• A 115% increase in application-layer attacks.

The countries sourcing the most DDoS has moved from the US and UK to Germany and China (and who now source over half attacks):

The rather centralised Internet

The Internet was meant to be created as a completely distributed system, where data could take multiple routes to get to a service. Unfortunately, the Internet we have created is fairly centralised and where services typically have single endpoints and have choke points for traffic. In the following, Eve creates a distributed attack on a back-end Web server infrastructure, and could reduce Bob’s quality of service in creating a connection:

This means that a DDoS attack can often succeed in either bringing down the server infrastructure or exhaust the bandwidth for the traffic flows. For Bob, the Web site will either crash on him, or the quality of service will be so bad that he will leave and go elsewhere.

And so knowing that companies will lose business through website crashes and poor quality of service, we have an increasing threat from DDoS-for-hire, and where criminals can hire a tool for a given time, and define its target. Normally the way that companies deal with this is to load balance on the main gateway into their infrastructure, and then create new instances of servers. But this can be costly to implement, and can only be sustained for a relatively short time period. The upstream pipeline to the infrastructure could also become exhausted, and reduce the quality of service.

Not all attacks are direct

And the attack doesn’t have to focus on the back-end infrastructure. In 2016, Facebook was taken down through a botnet attack on their Dynamic DNS service — and run by Dyn.

With this, the malware infected botnet, such as from compromised CCTV cameras requested a look-up address from the Dyn servers, and which stopped other users from getting IP address look-ups for Facebook, Github, Twitter, SaneBox, Reddit, AirBnB, and Heroku. It basically worked because the cameras produced by XiongMai Technologies (XT) had a default root password of “xc3511”. The Marai malare was then used to take over an army of over 500,000 cameras. This network — a botnet — then was instructed to create false domain name lookups against the Dyn service:

This type of attack is known as a reflection attack. One attack on the KrebsOnSecurity site resulted in a peak load of 620 Gbps. The opportunity for cybercriminals is thus to take control of the command and control (C&C) infrastructure, and instruct the botnet to create a sustained attack on a given site. The tracing of the original source of the attack is almost impossible to determine, as the attacking network is just a network of comprised devices.

In their state-of-the-internet report, Akamai reported that there has been a 16% increase from Summer 2017 and to Summer 2018, and with 7,822 mitigated DDoS attacks. The record attack at the current time is a massive 1.35Tbps. Much of the activity is still bot related, and where compromised systems can be used to perform the attacks. This can be compared with the capacity of 3.2 TBps of the TAT-14 cable which connects the US and Europe.

Stressors and Operation Power Off

In many cases, it’s a Bitcoin payment and which will further cover the tracks of the adversary. The model of the attack is enabled by distributing the attack agents across the world, and where it is difficult to throttle back traffic by purely closing off routes into the targeted system. On the one hand a company might use a “stresser” to test if their infrastructure could cope with a heavy number of accesses, but on the other hand the stresser can be used as an attack tool. The companies performing their DDoS activities will thus advertise their services as stresser services, but underneath they are really DDoS attack tools.

And so, in April 2018, the Dutch National High Tech Crime Unit and the U.K. National Crime Agency decided to target Webstresser.org — Operation Power Off. It is thought that there were over 136,000 registered users of the platform and that it had been involved in more than four million attacks. The site existed in the open and advertised its services as the most reliable IP Stresser/Booter:

Before its take-down, the Webstressor.org site advertised a stress test strength of 350Gbps, and its subscription models ranged from Bronze to Platinum. For just $18.99 per model a user could get 1200 seconds boot time (20 minutes), and where the best package gained a 7200 second boot time (2 hours). This time could be used over a single month, and then would be renewed for the next method. For $102, a user could even achieve a 999 year membership (defined as a ‘lifetime’ membership):

The site has been responsible for several attacks against Dutch banks, and the actual infrastructure for the company was based in The Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada, and Hong Kong. The administrators, though, were based in the UK, Croatia, Canada and Serbia.

So, on 25 April, the domain name was seized by the United States Department of Defense, Defense Criminal Investigative Service, Cyber Field Office, in a coordinated effort involving law enforcement agencies from The Netherlands, UK, Serbia, Croatia, Spain, Italy, Germany, Australia, Hong Kong, Canada and the USA, in cooperation with Europol:

Kaspersky Lab recently estimated that a cloud-based infrastructure of 1,000 machines would cost a cybercriminal around $7 per hour, and where they could charge $25 an hour for the attack. This leads to profit of around $18 per hour. The cloud-based infrastructure can thus be created in the cloud in minutes, and then used to create the attack, and then collapsed when finished. When investigators try and trace the sources, the machines which caused the attack are often gone. A botnet of compromised IoT attacking devices leaves almost no traces back to the source, too.

Are they successful?

While the providers of the attacks will make their money in scripting and orchestrating the attacks, cybercriminals will often use them for extortion. The victims of the attack, especially in areas which require high levels of availability such as in online gambling and gaming, are often willing to pay a ransom in order to stop the attack.

One of the most successful attacks is RDoS (Ransomware Denial of Service) attacks. These often start with a social media post or a letter which announces a forthcoming attack on a site, unless a payment is made. In order to show their power, the attackers will often launch pre-attacks to show that they are serious in their demands. In some cases the success rate of this can be greater that 95. In 2017, a hacking group named the Armada Collective launched an attack on Nayana (a South Korean web hosting company). The company eventually paid a ransom fee of around $1 million. After this successful extortion of funds, others have tried to cash-in with claims of an attack, that never actually happens. A recent estimate is that around one in six organisations — worldwide — have received at least one of these ransom notes.

In 2014, a bitcoin extortionist group called DD4BC emerged. This group targeted institutions around the world with threats of DDoS attacks if a ransom in bitcoin was not paid. Two core members of DD4Bc were ultimately arrested in December 2015, but this did not stop the growth of ransom-based DDoS attacks.

In September 2015, a new group called the Armada Collective emerged targeting banks, e-commerce and hosting services in Russia, Thailand, Switzerland, and more. In November 2015, The Armada Collective launched one of their most famous ransomware attacks. The group targeted several email service providers like ProtonMail, NeomailBox, VFEmail, HushMail, FastMail, Zoho, and Runbox.

Armada Collective had a very specific pattern of blackmailing only a handful of victims at a time. They would send their target a letter demanding a ransom be paid in bitcoin. To underscore the threat, the group would launch a sample attack for 15 to 30 minutes against the victims’ network. If the ransom was not paid in the allotted time, the ransom would increase and the targets would face large-scale and persistent multi-vector attacks.

It’s not just cybercriminals

Along with cyber criminals being involved in extortion, DDoS has become the weapon of choice for hacktivists who will bring down sites for political reasons.

In 2015, as a protest against St. Louis County Police’s involvement in the killing of unarmed teenager Michael Brown in Ferguson, Mo, there was a DDoS (Distributed Denial of Service) attack on the police Web site, which brought down their systems for several days. At the same the attackers managed to hack into the St. Louis County Police network, and gained access to dispatch tapes related to the day of the shooting, which they then uploaded to YouTube.

Nation states, too, have been shown to be testing their muscles with target range tests. The first signs of cyber warfare is likely to be large scale DDoS against a target country’s infrastructure. Estonia, for example, whose infrastructure was disabled for several days in 2007 following a cyber attack, recently looked at moving copies of government data to the UK for protection. As most countries are now highly dependent on their Internet infrastructure, a DDoS against the critical national infrastructure could cause the whole infrastructure to fall like a line of dominoes.

Where is DDoS coming from?

While firewalls can often filter for TCP-sourced connections, the ones based on connection-less protocols such as UDP, DNS and NTP are still the top vectors for attacks, as they are difficult to block:

An example DNS reflection attack (as illustrated below), and where a malicious source (eg 2.3.4.5) makes a request to a DNS server for a look-up on a domain name (such as “intel.com”). The requested IP address will be define as the target address (1.2.3.4), so that the DNS server will send the request to the target. If there are enough DNS requests, the target server will be swamped by DNS traffic.

The targets for DDoS are often related to those industries where a good quality of service is required for their operation. At the top as a target are the companies who often require high levels of availability, such as with the gaming industry, ISPs and the finance industry:

While, in 2017, the US was down in terms of DDoS, they were very much leading the way in Web application attacks, and with the US, The Netherlands and China in providing around half of all Web attacks:

And for targets it seems that the US, Brazil and the UK are the most popular countries:

Conclusions

DDoS is a fairly easy crime to commit. These arrests are just one step forward. There will be many other companies who will be willing to take over Botnets for profit.