A cryptocurrency platform was recently on the receiving end of one of the biggest distributed denial of service attacks ever recorded, after threat actors bombarded it with 15.3 million requests, the content-delivery network Cloudflare said.
DDoS attacks can be measured in several ways, including by the volume of data, the number of packets, or the number of requests sent each second. The current records are 3.4 terabits per second for volumetric DDoS’s—which attempt to consume all bandwidth available to the target—and 809 million packets per second, and 17.2 million requests per second. The latter two records measure the power of application-layer attacks, which attempt to exhaust the computing resources of a target’s infrastructure.
Cloudflare’s recent DDoS mitigation peaked at 15.3 million requests per second. While short of the record, the attack may have been more powerful, because it was delivered through HTTPS requests rather than the HTTP requests used in the record. Because HTTPS requests are much more compute-intensive, this new attack had the potential to put much more strain on the target.
The resources required to deliver the HTTPS request flood were also greater, indicating that DDoSers are growing increasingly powerful. Cloudflare said that the botnet responsible, comprising about 6,000 bots, has delivered payloads as high as 10 million requests per second. The attack originated from 112 countries, with about 15 percent of the firepower from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.
“Within those countries, the attack originated from over 1,300 different networks,” Cloudflare researchers Omer Yoachimik and Julien Desgats wrote. They said that the flood of traffic mainly came from data centers, as DDoSers move away from residential network ISPs to cloud computing ISPs. Top data center networks involved included the German provider Hetzner Online (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), and OVH in France (ASN 16276). Other sources included home and small office routers.
“In this case, the attacker was using compromised servers on cloud hosting providers, some of which appear to be running Java-based applications. This is notable because of the recent discovery of a vulnerability (CVE-2022-21449) that can be used for authentication bypass in a wide range of Java-based applications,” Patrick Donahue, Cloudflare’s VP of product, wrote in an email. “We also saw a significant number of MikroTik routers used in the attack, likely exploiting the same vulnerability that the Meris botnet did.”
The attack lasted about 15 seconds. Cloudflare mitigated it using systems in its network of data centers that automatically detect traffic spikes and quickly filter out the sources. Cloudflare didn’t identify the target except to say that it operated a crypto launchpad, a platform used to help fund decentralized finance projects.
The numbers underscore the arms race between attackers and defenders as each attempts to outdo the other. It won’t be surprising if a new record is set in the coming months.
This story originally appeared on Ars Technica.
More Great WIRED Stories
Malware designed to target industrial control systems like power grids, factories, water utilities, and oil refineries represents a rare species of digital badness. So when the United States government warns of a piece of code built to target not just one of those industries, but potentially all of them, critical infrastructure owners worldwide should take notice.
On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.
“This is the most expansive industrial control system attack tool that anyone has ever documented,” says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it.”
Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to specifically target Schneider Electric and OMRON PLCs, it does so by exploiting underlying software in those PLCs known as Codesys, which is used far more broadly across hundreds of other types of PLCs. This means that the malware could easily be adapted to work in almost any industrial environment. “This toolset is so big that it’s basically a free-for-all,” Caltagirone says. “There’s enough in here for everyone to worry about.”
The CISA advisory refers to an unnamed “APT actor” that developed the malware toolkit, using the common acronym APT to mean advanced persistent threat, a term for state-sponsored hacker groups. It’s far from clear where the government agencies found the malware, or which country’s hackers created it—though the timing of the advisory follows warnings from the Biden administration about the Russian government making preparatory moves to carry out disruptive cyberattacks in the midst of its invasion of Ukraine.
Dragos also declined to comment on the malware’s origin. But Caltagirone says it doesn’t appear to have been actually used against a victim—or at least, it hasn’t yet triggered actual physical effects on a victim’s industrial control systems. “We have high confidence it hasn’t been deployed yet for disruptive or destructive effects,” says Caltagirone.
More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station’s circuit breakers and turn off the lights to a fraction of Ukraine’s capital. That unprecedented specimen of industrial control system malware has never been seen again—until now: In the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.
On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia’s GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia’s most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.
ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review today, stated that power had been temporarily switched off to nine electrical substations.
Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine’s deputy minister of energy.
“The hack attempt did not affect the provision of electricity at the power company. It was promptly detected and mitigated,” says Viktor Zhora, a senior official at Ukraine’s cybersecurity agency, known as the State Services for Special Communication and Information Protection (SSSCIP). “But the intended disruption was huge.” Asked about the earlier report that seemed to describe an attack that was at least partially successful, Zhora described it as a “preliminary report” and stood by his and CERT-UA’s most recent public statements.
According to CERT-UA, hackers penetrated the target electric utility in February, or possibly earlier—exactly how isn’t yet clear—but only sought to deploy the new version of Industroyer on Friday. The hackers also deployed multiple forms of “wiper” malware designed to destroy data on computers within the utility, including wiper software that targets Linux and Solaris-based systems, as well as more common Windows wipers, and also a piece of code known as CaddyWiper that had been found inside of Ukrainian banks in recent weeks. CERT-UA claimed Tuesday that it was also able to catch this wiper malware before it could be used. “We were very lucky to be able to respond in a timely manner to this cyberattack,” Zhora told reporters in a press briefing Tuesday.
Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities.
Over the past two months, President Joe Biden’s executive branch has taken more actions to deter and even temporarily disarm Russia’s most dangerous hackers than perhaps any previous administration in such a short space of time. US countermeasures have ranged from publicly pinning the blame for distributed denial of service attacks targeting Ukrainian banks on Russia’s GRU military intelligence agency to unsealing two indictments against the members of notorious Russian state hacker groups to undertaking a rare FBI operation to remove malware from network devices that GRU hackers had used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command director general Paul Nakasone also told Congress that Cyber Command had sent “hunt forward” teams of US cybersecurity personnel to Eastern Europe to seek out and eliminate network vulnerabilities that hackers could exploit in both Ukraine and the networks of other allies.
Together, it adds up to “a concerted, coordinated campaign to use all of the levers of national power against an adversary,” says J. Michael Daniel, who served as the cybersecurity coordinator in the Obama White House, advising the president on policy responses to all manner of state-sponsored hacking threats. “They’re trying to both disrupt what the adversary is doing currently, and to also potentially deter them from taking further, more expansive actions in cyberspace as a result of the war in Ukraine.”
Daniel says compared to the Obama administration he served in, it’s clear the Biden White House has decided to take a far faster and harder-hitting approach to countering the Kremlin’s hackers. He attributes that shift to both years of US government experience dealing with Vladimir Putin’s regime and the urgency of the Ukrainian crisis, in which Russian state hackers pose an ongoing threat to Ukrainian critical infrastructure and also networks in the West, where Kremlin hackers may lash out in retaliation for sanctions against Russia and military support for Ukraine. “The Russians have made it pretty clear that signaling and small steps are not going to deter them,” says Daniels. “We’ve learned that we need to be more aggressive.”
The Biden administration’s ratcheted-up responses to Russian cyberattacks began in mid-February, before Russia had even launched its full-scale invasion. In a White House press conference, Deputy National Security Advisor Anne Neuberger called out Russia’s GRU for a series of denial of service attacks that had pummeled Ukrainian banks over the prior week. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,” Neuberger told reporters. Coming just days after the GRU’s attacks, that rebuke represented one of the shortest-ever windows of time between a cyber operation and a US government statement attributing it to a particular agency—a process that has often taken months or even years.
Last month, the Department of Justice unsealed indictments against four individual Russians in two state-linked hacker groups. One indictment named three alleged agents of Russia’s FSB intelligence agency who are accused of belonging to an infamous hacker group, known as Berserk Bear or Dragonfly 2.0, that engaged in a years-long hacking spree that repeatedly targeted critical US infrastructure, including multiple breaches of power grid networks. A second indictment put a name to another highly dangerous hacking campaign, one that used a piece of malware known as Triton or Trisis to target the safety systems of the Saudi oil refinery Petro Rabigh, potentially endangering lives and leading to two shutdowns of the refinery’s operations. The Justice Department pinned that attack on a staffer at the Kremlin-linked Central Scientific Research Institute of Chemistry and Mechanics (known as TsNIIKhM) in Moscow, along with other unnamed coconspirators at the same organization.
At the same time, the Cybersecurity and Infrastructure Security Agency, Justice Department, and FBI were taking on a third Russian state hacker group even more directly. In February, CISA first issued a warning that a GRU hacking group known as Sandworm—with a track record that includes everything from triggering blackouts in Ukraine to the release of the NotPetya malware that inflicted $10 billion in damage worldwide—had assembled a botnet of hacked network devices, along with guidance on how to detect and remove the malware, known as Cyclops Blink. When that advisory led to only a 39 percent drop in the number of devices the botnet hijacked, the FBI took the rare step of actually impersonating the hackers’ communications to its command-and-control machines, sending commands to remove the hackers’ malware from those devices, and thus cutting off Sandworm’s access to at least part of its botnet.
The specific targeting of those three hacker groups—the FSB-linked Berserk Bear hackers, the TsNIIKhM hackers allegedly behind Triton, and GRU-linked Sandworm group—shows how the US government is intentionally taking actions to deter and disable the Russian hackers who present the greatest threat of not mere espionage or cybercrime, but targeted, disruptive cyberwarfare, says John Hultquist, who leads threat intelligence at the cybersecurity firm Mandiant and has tracked all three groups for years. “At a time when the US is bracing for potential cyberattacks from Russia, the Department of Justice has specifically indicted two of these actors and carried out an operation against the third,” says Hultquist. “Those are the actors that have the history and proven capability for disruptive and destructive attacks. That’s why operations have been and should be focused on those actors.”
Multifactor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.
Enter MFA Prompt Bombing
The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.
That’s where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.
It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia’s Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.
“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”
Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.
“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.
“Even Microsoft!” the person wrote. “Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”
Mike Grover, a seller of red-team hacking tools for security professionals and a red-team consultant who goes by the Twitter handle _MG_, told Ars the technique is “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.”