The Fraud Blog with Tracy Kitten

DDoS: Hacktivists Preparing Phase 4?

Retooled Brobot is Nimble, Gearing Up for New Strikes

Experts say distributed-denial-of-service attacks against U.S. banks are not over, despite what's now been a two-month cease-fire by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. Security vendors tell me the hacktivist group's botnet is growing. And when these attacks do resume, they won't be easy to fight.

See Also: New OnDemand | Reacting with Split-Second Agility to Prevent Software Supply Chain Breaches

This next wave of DDoS attacks will be different from what we have seen in earlier waves of attacks, dating back to mid-September 2012, researchers believe. As a result, many of the mitigation strategies and defenses banks have in place could prove ineffective.

Luckily, information about new code added to Brobot, al-Qassam's botnet, is being shared behind the scenes among banking institutions. Now, banks and DDoS-mitigation providers are just waiting for what will be the fourth phase of DDoS to strike.

A New DDoS

Here's what I'm hearing from the industry to support my opinion: Brobot is being rebuilt. That doesn't just mean Brobot is growing. It means Brobot is being retooled, tweaked and is gearing up for a new wave of attacks designed to get around existing mitigation measures.

In a conversation, John LaCour, the CEO of cyberintelligence firm PhishLabs, broke down Brobot's evolution in recent weeks: "The files that are being placed on web servers are different than what were there before," he explains. These are the code files being placed on the compromised web servers hacktivists have been taking over to grow their bot.

Further, LaCour says: "The new code we see on these web servers is one of the strong indicators that the botnet is being rebuilt."

So the code behind the malware has changed and includes configurations we did not see in the first three phases of attacks.

Simply put, al-Qassam is adjusting and reacting to the mitigation techniques banks have implemented over the past 10 months. Why would they invest energy and resources into new strategies if they did not plan to wage more attacks?

More Attacks

No one is sharing details about when we might see the new wave, but many observers say we certainly can expect more attacks.

The DDoS attacks waged by this self-proclaimed hacktivist group over the course of the previous three phases now constitute one of the longest-ever sustained cyber-attacks. It goes without saying: These attackers have might, skill and funding, and we should not be fooled into thinking this recent lapse means DDoS threats are over.

This is why attacks like the PDF download attack recently waged against two mid-tier banks garnered attention (see Another Version of DDoS Hits Banks).

Were those download attacks a test of some of the different types of attacks to come?

Several of my sources speculated we might see al-Qassam's attacks resurface on July 4. That's because Brobot's growth had been active over the days leading up to the Independence Day holiday.

The attackers' scans on search engines for blogs and websites using outdated versions of WordPress and Joomla had picked up. The attackers were actively taking these sites over. But their takeover activity waned as the week dragged on.

Thus, July 4 remained quiet.

Of course, as PhishLabs' LaCour points out, it's not just Brobot we have to worry about. "We have recently seen attacks against Russian banks with other types of botnets," he says.

Quite frankly, even Brobot itself could be leased out to other cybergroups with criminal agendas. We just don't know.

The key takeaway, where Brobot is concerned: "The fact that they are building is concerning," LaCour notes. I agree.

Based on what I see and hear, I'm convinced we can expect more DDoS attacks - and relatively soon. But are we prepared for these new attacks? That's what I'd like to hear from you. What have you done to prepare your institution to detect and defend against future attacks?

Even if these new variants in code used to take over blogs and sites have not been seen before, have we learned enough to react quickly when attacks strike? You tell me.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.