Denial-of-Service in the Cyber Underground

Nov 09, 2022

Intel 471 recently explored how threat actors use cyber underground marketplaces and forums to aid their operations. These marketplaces and forums provide easy and affordable access to products, goods and services, which can cause financial and data losses to organizations and individuals. One of the popular categories bought, sold and used by threat actors, Denial-of-Service (DoS), inflicts limited damage on organizations. It does, however, result in many inconveniences for users such as employees being unable to access networks and resources and impacts customers being able to access websites and purchases products.

What is a denial-of-service attack?

Most of us have experienced freeways where the traffic is at a complete standstill due to a major accident. With all cars and trucks completely stopped, no one is going anywhere. Moreover, vehicles attempting to enter the freeway can’t; they are effectively ‘denied’ access to the freeway lanes. DoS attacks are similar; they make websites and servers unavailable to legitimate users by overwhelming the target asset with a flood of traffic. A distributed denial-of-service (DDoS) attack occurs when multiple servers work together to attack a target server or website. A successful DDoS attack is highly effective, making it a popular weapon for threat actors and hacktivists alike.

Why threat actors use denial-of-service attacks?

Threat actors and hacktivists have several motivations for using DDoS. The most prominent is to promote a political agenda. For many years, hacktivists have used DDoS attacks to express discontent towards government and private sector entities that oppose their political ideology. Industrial sabotage can also be a stimulus. In a 2017 study by Kaspersky Labs, 43% of respondents impacted by a DDoS attack assessed the culprit as a competitor.

DDoS attacks can also play a role in financially motivated cybercrime. For example, in recent years, DDoS attacks have been growing in ransomware operations. Ransomware-as-a-service (RaaS) groups have built upon previous double extortion models (leveraging data exfiltration alongside the encryption of victim’s networks) to incorporate DDoS attacks as part of a “triple extortion” methodology. RaaS operators can mount additional pressure on victims during negotiations to ensure that ransoms are paid by denying network access.

Types of denial-of-service offerings

Botnets-for-hire: A botnet is a collection of internet-connected devices that an attacker has compromised to carry out DDoS attacks. Criminal groups or individual threat actors who create botnets are increasingly making botnets available ‘for hire’ across the cyber underground. Botnet-for-hire offerings, which can effectively become DDoS-for-hire offerings, appeal to more experienced and technical threat actors.

Stressers: A stresser, or IP stresser, is a legitimate tool when used to test the resilience of a network or group of servers. However, a Stresser can also be hosted online and sold as a product to conduct DDoS attacks. Most stresser tools also leverage botnets to conduct DDoS attacks. Still, they differ from botnet-for-hire services as the user cannot access the botnet directly to control it and cannot use it for other criminal activities such as email spam campaigns and data theft. In addition, Stressers typically have a more comprehensive range of DDoS attack options than their botnet-for-hire counterparts. For example, one tool called Royal Stresser had a total of 84 different DDoS methods available to paying users.

Recent DDoS activity and impact

DDoS attacks occur every day, and most are just nuisances. But these attacks often have agendas and intended impacts on their targets. Here are a few examples stemming from the DDoS -for-hire world:

Hacktivism supporting the pro-Russia agenda: The KillNet group, perhaps the most prolific DDoS-for-hire group in 2022, initially posed as cybercrime hack-for-hire vendors. Subsequently, they focused on hacktivist activity supporting the Kremlin. Since then, they have aimed their actions at governments and businesses that support Ukraine, including conducting DDoS attacks against:

  • The websites of eight Polish airports, allegedly in response to Poland’s support of Ukraine.

  • Twelve entities in the Czech Republic across the aviation, banking, government, military and telecommunications sectors.

  • Nine Estonia-based entities in the government, military and telecommunications sectors, including the Estonia-Russia border crossing queue database.

  • Two separate attacks on Romanian organizations, impacting five entities across the aerospace and defense, banking, government and transportation sectors, and another allegedly impacted 13 airports, two news agencies and an oil and gas company. The group stated the attacks were in response to the Romanian government’s commitment to aid Ukraine.

  • Attacks on Japanese entities, including government, transportation and financial sectors.

Spawning other DDoS groups for hacktivism and profit: KillNet has created other DDoS groups or “squads” on a regular basis such as; DDOSGUNG, Impulse, Mirai aka QBOTDDOS and Vera. The group claims to have developed and used its own DDoS botnet malware, which is available to rent through their Telegram channel. While Mirai was announced as a squad of KillNet, they also also support other pro-Russian hacktivists, including Anonymous Russia. Mirai attacked multiple entities starting in June 2022, including the Italian state police, the Romanian government, a Ukrainian banking application and the U.S. Department of Defense. These DDoS attacks helped advertise and prove their capabilities to other threat actors. Their DDoS attacks continued in Q3 2022.

Disruption to U.K. intelligence services sites: In September 2022, the pro-Russian hacktivist group Anonymous Russia claimed responsibility for DDoS attacks against the U.K’s domestic Security Service aka Military Intelligence, Section 5 (MI5). The perpetrators supported the claim with a screenshot of MI5's website being unavailable during the attack.

What can you do to prevent DDoS?

There are multiple ways to limit the effectiveness of DDoS attacks. Two methods to protect against most DDoS attacks are outlined below, however, methods may vary depending on whether the DDoS attack is targeting an application protocol or is a volumetric attack:

1) Use a Content Delivery Network (CDN): A CDN is a large cache of content stored across various servers in the cloud and accessed by clients. Clients will access the CDN server closest to them, decreasing page load times. A CDN also reduces the load placed upon the originating servers, thus reducing the likelihood of any single server becoming overwhelmed by a DDoS attack.

2) Implement rate-limiting. Rate limiting refers to how often a resource should receive new requests. Timeout mechanisms must also be implemented when using rate limiting. Otherwise, clients won't know when to stop making requests. When the connection times out, the client will assume the resource isn't available and move on to the next item on its list.

The future of DDoS-for-hire products

The cyber underground will almost certainly continue to provide a platform for users to buy and sell products, goods and services that enable DDoS attacks. It is a lucrative business, and the risks are minimal. But, as with other cybercriminal activities, law enforcement must step in to reduce the demand. Unfortunately, given the need for specialized skills to combat this wave of crime there will continue to be incidents that slip through the net. As such, it is incumbent upon businesses to be aware of this threat and do what they can to limit the impact to their businesses.

New loader on the bloc - AresLoader
New loader on the bloc - AresLoader
A Look at NLBrute, the RDP Attack Tool
A Look at NLBrute, the RDP Attack Tool
Keyboard with the word ransomware lit up
A Ransomware Forecast for 2023
Malvertising Surges to Distribute Malware
Malvertising Surges to Distribute Malware