Air Strikes Syria

Air Strikes in Syria likely to result in Russian retaliation

Target: UK/USA/France

Attack Vector: Hack & Data Leaks/Phishing/DDoS/Website Defacement/

Threat Actor: Russian & Iranian APT actors

Summary: On the morning of Saturday 14th April 2018, the US, UK and France launched a number of air and missile strikes against suspected Syrian chemical weapon production sites at Mayssaf near the city of Homs, and Barzeh on the outskirts of Damascus. It is reported that the airstrikes were successful, resulting in no fatalities and only a handful of minor injuries. The attacks were launched in response to the 7th April chemical weapons incident in Dhouma, Eastern Ghouta which have been laid at the door of the Assad regime by Western politicians. Prime Minister Theresa May also stated that UK support for the action was also as a consequence of the alleged Novichok attack on Sergei Skripal on 4th March 2018 in Salisbury. Despite the limited nature of Western action, Russia has reacted angrily and has vowed there will be as yet unspecified consequences.

Risk assessment summary: It continues to be assessed that Russian state-sponsored actors and allied groups present a 2a HIGH threat to a number of sectors including health, telecoms, government, defence, energy and finance. Organisations outside these sectors may also be targeted or become “collateral damage” in any campaign of service disruptive attacks.

Recent reconnaissance activity by Russian actors is entirely consistent with earlier threat intelligence reports which suggested that the ongoing crisis which began with the Skripal poisoning, would directly impact on the cyber threat environment.

Rhetoric by senior Russian actors such as Sergei Lavrov who have promised retaliation, should not be considered idle threats. Whilst direct military conflict between Russia, the UK and the US has been avoided for the time being, the situation remains highly tense and it may be that Moscow will consider cyber-attacks one way of responding to the Syrian air strikes without risking further military escalation. There is also a strong possibility that non-state actors such as hacktivist groups or “patriotic hackers” will become active in response to the situation which will complicate attribution.

System administrators are therefore advised to remain highly vigilant over the short to medium term and be aware that DDoS, website defacement and hacks and data leaks may also be a growing threat in addition to ongoing APT activity. Monitoring of the threat environment will continue in order to identify further actionable intelligence.

Memcache DDoS

1. Risk Assessment

Risk Rating: 2c

Impact: High

Likelihood: Likely

This threat is currently assessed as 2c HIGH. A new DDoS attack vector has been identified as targeting Memcached servers that have UDP port 11211 exposed on the internet. The impact to businesses is considered to be HIGH in most cases, particularly if any services have poorly configured Memcache servers. This new attack vector has been seen in the wild over the past week and is therefore deemed an active threat. The likelihood of this threat should be considered LIKELY, particularly with media-wide news reporting in relation to the type of attack, and the considerable amplification that can be achieved.

2. Technical Analysis

Over the past week, we observed a number of DDOS attacks crafted using the latest amplification and reflection method, which is known as ‘memcached’. Memcached, which uses UDP port 11211, is an open source distributed memory object caching system that is designed for use with dynamic web applications to speed up retrieval of objects and data and alleviate database load. Much in the same way that web content is cached within an ISP network so that further requests for that same content can be delivered locally via the cache, memcached can cache objects and strings for a web application to reduce dependence on external DB/API calls. However, this application has very poor security out of the box, and by default, will allow connections on UDP as well as TCP. In addition, attackers can ‘prime’ the server by first inserting their own key/value pairs and then requesting that data as part of the attack, spoofing their source address to be the address of the intended target, and therefore redirecting any responses from open memcached severs to the intended DDOS target.

What makes memcached a highly effective DDOS attack vector is the extremely large amplification factor. All amplification attacks rely on a UDP protocol that on request of a small query, can return a large response. For example, DNS may be used by sending a simple ‘dig’ for some domain that then returns a large response in the form information from zone files that may include A/MX/NS/PTR/TXT records, or an attacker might locate open NTP servers that allow a simple ‘monlist’ command to generate a response in the form of a full list of IPs that have interacted with that server. The attacker’s aim is to generate as large a response as possible to a given query that is sent with a spoofed source IP address. The amplification factor is the ratio of the size of the request to the size of the response.

As an illustration, the following amplification factors are detailed below:

  •  SSDP 30x
  •  DNS 54x
  •  NTP 500x
  •  Memcached 10,000 to 51,000x

This shows that a 15 byte request may result in a 750kB response. The maximum size for any object in the cache is 1MB. Because of the large amplification factor, an attacker only needs a relatively small number of open servers to generate a large attack. It is estimated that there are currently around 80,000 to 90,000 open memcached servers currently on the internet.

This attack vector has only been reported as being used by a number of networks over the last few days, and attacks have been reported by Cloudflare and Akamai with the latter reporting an attack against one of their customers that reached 1.3Tbps, and today, a 1.7Tbps attack aimed at an unnamed ‘US service provider’ has been published.

3. Additional Analysis

There is currently little intelligence that identifies or indicates the origin of these attacks, neither are there any reports of any adversary or collective claiming responsibility specifically for memcached attributed activity.

Often social media is used as the preferred medium in which to claim responsibility by those supposedly carrying out the attacks, which is a very common tactic with hacktivists who do so to promote their own motivated activities and ideologies. There is, as yet, no claims of responsibility, for either the 1.3Tbps or the 1.7Tbps attack. This could indicate that the actor(s) behind the attacks may have realised the huge potential and value of their activity, therefore, to prevent any potential disruptions they may be keeping it quiet in order to carry out further attacks.

Another reason that may result in no claims of responsibility may be that the DDoS attacks could be leveraged against gaming servers, which could result in significant collateral impact. DDoS attacks used by gamers against gamers are a common tactic, and with the existence of DDoS-for-hire-Services, it is very easy for gamers to get a hold of the tools necessary to carry out such activity.

With the large media reports on this new attack vector, focusing on the considerable 1.3Tbps and 1.7Tbps attacks, this is likely to raise interest, with many actors and groups involved in DDoS-related activity and hacktivism. This could potentially lead, if not already, to DDoS-for-hire-Services incorporating the attack vector in to their services, which then increases the reach of the capability to more low-level actors. The more actors or groups that gain access to such DDoS services, the higher the risk that this attack vector will be leveraged against numerous businesses, crossing multiple industries worldwide. Akamai have already seen a noticeable increase in active scanning for open memcached servers since the media broke news of the new attack vector several days ago.

Imperva also reported on 1 March 2018, that they had observed two massive DDoS amplification attacks on 28 February, which was the same day as the 1.3Tbps attack. These two attacks were targeted against a cryptocurrency exchange, as well as e-commerce websites.

4. Recommendations

General recommendations for overall DDoS protection:

An organisation can help to protect themselves in the event of a DDoS incident by considering the following recommendations:

  •  The use of a third party DDoS mitigation tool or service.
  •  Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.
  •  Conducting a review of current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
  •  Ensure your network has been target hardened.

Specific technical recommendations for this attack vector are as follows:

  • To reduce the impact of UDP/11211 implement one of the following at your network edge (or ask your service provider):

o Rate limiting

o Access Control Lists

  •  Other approaches such as deploying Flowspec at the edge to block this traffic to the target address may be considered, but there is a significant delay in deploying this option as it is a manual process.


OpSpain New Phase To Commence 1st March 2018

Target: Spanish Organizations

Attack Vector: DDoS/Defacement/Hack & Data Leak

Summary: Following the arrest of the hacktivist Xelijomuo by Spanish authorities in relation to #OpCatalunya linked activity, a number of @Anonymous affiliated actors and groups have announced their intention to retaliate against a number of Spanish linked organizations commencing 1st March 2018.

Risk assessment summary: It is currently assessed that #OpSpain and affiliated operations present a 3b MODERATE threat to Spanish linked entities. Although hacktivists have released a target list, this is likely to expand as the operations develop and it should be anticipated that this threat will extend into the medium term.

Although @Anonymous have announced 1st March 2018 as the start date, it appears that activity has already commenced against Spanish targets and it should be assumed that #OpSpain is now in an active phase. The operation also comes as Hacktivist activity has been increasing and the currently active hacktivists appear capable and credible. Although social media activity is relatively muted at present, the arrest of one of their own is almost certain to act as a driver for the wider @Anonymous collective to become involved.

It is likely that attacks will be a mixture of DDoS, website defacement, hacks and data leaks. It is recommended that stakeholders increase awareness, ensure all DDoS mitigation measures are in place, all patches and updates have been carried out and system users remain vigilant for phishing attempts. Additionally, customer-facing websites should be closely monitored for signs of defacement. Monitoring of the threat environment will continue in order to identify further actionable intelligence.