DDoS extortion campaign targeting financial sector
CERT NZ has recently received reports relating to an extortion campaign targeting companies within the financial sector in New Zealand. Similar activity has been seen internationally.
The cybercriminals claim to be Russian advanced persistent threat group (APT) ‘Fancy Bear / Cozy Bear’ and demand a ransom to avoid DDoS attacks. They carry out a short DDoS against a company’s IP address to demonstrate intent.
This attack is delivered in two phases:
Phase 1: Email
The target company receives an email stating “We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack,” In the email the attackers give a deadline for when the major DDoS attack will occur demanding a ransom to prevent it.
Phase 2: Demonstrative DDoS
To make the campaign more believable and to prove their intentions and capabilities, the attackers may initiate a warning or demonstrative attack against an IP address belonging to the companies’ network. These attacks generally last around 30 minutes.
So far CERT NZ has not seen any evidence to suggest that the attackers follow through with the major attack on the deadline provided in the email.
The attackers are using a variety of reflective DDoS techniques, with targets including services using the following protocols:
- Hyper Text Transfer Protocol (HTTP)
- Web Service Dynamic Discovery (WSD)
- Apple’s Remote Management Service (ARMS)
- Simple Service Discovery Protocol (SSDP)
- Network Time Protocol (NTP)
- Domain Name System (DNS)
- Lightweight Directory Access Protocol (LDAP)
- SYN and Internet Control Message Protocol (ICMP)
If you have internet facing systems that expose these protocols, you could be targeted.
This campaign uses very similar tactics to a previous extortion campaign observed in 2017. In both campaigns attackers have claimed to be members of known state-sponsored hacking groups (e.g. Fancy Bear, Cozy Bear), but CERT NZ does not believe that the attackers are in any way affiliated with these organisations.
What this means
Prior to sending the email the attackers research the target company and have identified a back-end server, which usually isn’t protected by DDoS protection systems.
What to look for
How to tell if you're at risk
Check to see if any of your internet-facing systems expose protocols that are being targeted.
What to do
CERT NZ recommends you don’t pay the ransom, as this could result in your company becoming targeted again.
To protect against DDoS attacks, you may need to work with your ISP, and engage with a DDoS protection service, such as Cloudflare or Akamai, to prevent the DDoS traffic from reaching your systems. If you use such a service, ensure that your servers only accept traffic from your DDoS protection provider so that the protection cannot be bypassed.
If you are aware of or have experienced this type of attack report it directly to us.
For CERT NZ media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.