In early December, hackers in Turkey came up with a new strategy to incentivise others to carry out cyber attacks for them in return for points in a new loyalty scheme.
This scheme allows the Turkish hackers to shift most of the risk away from themselves and onto those who are prepared to attack pre-defined targets in exchange for access to tools including click fraud software.
Although providing members with tools and a list of targets has been done by Anonymous in the past it’s the first time we have seen a Distributed Denial of Service (DDoS) platform that enables hackers to earn points, rewarding them for their ‘loyalty’ by giving them access to new attack tools.
[easy-tweet tweet=”The ‘cyber domino’ effect has become a popular weapon” hashtags=”tech, cloud, security”]
It’s especially worrying for cloud businesses, as hackers may launch strong DDoS attacks on cloud service providers in order to bring down targets and they are at risk of being caught in the crossfire.
The ‘cyber domino’ effect has become a popular weapon in the cyber criminal armoury in recent years. It works by taking down a hosting company so that the target company will be taken offline as well, as will many other companies who use the same provider who become innocent victims in the attack.
The motives for the latest attacks are not completely clear, but there are some good indicators that give insight into the potential motivation of the authors of the platform and the participants.
With this new platform, known as “Sath-ı Müdafaa”, which translates into “Surface Defence”, there is no prior connection between participants and the provider of the tool.
The authors provide the platform and a locked version of the Balyoz DDoS tool, with a limited list of targets. The targets (credit to Forcepoint) included Kurdish Workers Party (PKK), the People’s Defense Force (HPG), websites of Kurdish hacking crews and Kurdish radio & TV stations, as well as the German Christian Democratic Party (DCU, Angela Merkel’s party), the Armenian Genocide website and several Israeli sites – mostly sites with a political position with respect to Turkey.
From the participants’ perspective, the motive can be either political ideology (the list of target sites) or financial gain. The financial gain comes in the form of rewarded points that can be used to buy an untethered version of the Balyoz DDoS tool or click-fraud bots such as Ojooo, PTCFarm, Neobux PTC. Click-fraud bots can automatically click on ads for pay-to-click (PTC) services and are clearly there for financial gain.
One other motive for the author might be to gain insight in the participants through a backdoor, or recruit their systems for other attacks – the latter being less probable since the participants are performing illegal activities with those systems they might want to thrash them after use. So I believe that the backdoor is there to gain insight in competing criminal groups or gather intelligence on the participants.
Whilst this new loyalty scheme approach is currently only focused on targets that has some political connection with Turkey the model is one that could well be repeated by hackers looking to target businesses for whom they have an angst of some sort. Additional platforms may have already been developed but are yet to be discovered. It is very likely that this will not be a ‘one off’.
[easy-tweet tweet=”There are steps that cloud businesses can take in order to defend against DDoS attacks” hashtags=”security, tech, cloud”]
I don’t see how we could stop such platforms from forming – even if one could be taken offline, it is just a matter of time before the next forms. But there are a certain number of investments or resources the owner of the platform must have to be able to make it work and gain popularity and that is a good set of tools to attract participants and make them want to earn points. This is certainly the action of seasoned hackers.
With that in mind, there are steps that cloud businesses can take in order to defend against DDoS attacks that may be the result of this new tactic. They must review their cloud service provider and ask:
- Are you using hybrid mitigation capabilities?
- A successful defence depends upon multi-vector attack detection that is ‘always-on’, along with the ability to automate the process of redirecting traffic to cloud-based mitigation resources.
- Do you have effective application (Layer 7) attack detection and mitigation services?
- New attacks are reportedly sending massive HTTP floods, making Layer 3/4 detection methods useless.
- Do you have a separate network for DDoS mitigation?
- The ideal architecture features a separate, scalable infrastructure specifically for volumetric DDoS attack mitigation where attacks can be rerouted when they reach predetermined thresholds.
Cyber-criminals will always find new and unusual ways of launching attacks that are often difficult to defend against. But those who carefully review their cyber defence strategy – and that of the providers they rely upon – will be well prepared to take on these latest threats.