Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Recent Bank Cyber Attacks Originated From Hacked Data Centers, Not Large Botnet

New details have emerged about the attack toolkit that was used to launch the distributed denial of service (DDoS) attacks against a number of US-based financial institutions late last month.

The majority of the banking attack traffic does not appear to have been generated by client bots, but rather from compromised servers in data centers, Carl Herberger, vice-president of security solutions at Radware, told SecurityWeek on Thursday.

New details have emerged about the attack toolkit that was used to launch the distributed denial of service (DDoS) attacks against a number of US-based financial institutions late last month.

The majority of the banking attack traffic does not appear to have been generated by client bots, but rather from compromised servers in data centers, Carl Herberger, vice-president of security solutions at Radware, told SecurityWeek on Thursday.

itsoknoproblembroThe “itsoknoproblembro” toolkit did not compromise those servers in the first place, as Radware believes the servers were already under the attacker’s control before being infected with the DDoS attack kit, Herberger said.

Some of the U.S.-based financial institutions that fell under attack in late September include Bank of America, JPMorgan Chase, PNC Bank, and others. While not all the institutions confirmed being hit by denial of service attacks, they all experienced extremely high traffic volumes that affected the availability of their sites within days of each other.

The fact that the denial of service attacks originated from servers within the data center, as opposed to a large botnet or series of client machines, means the attack traffic could bypass security mechanisms in place, Herberger said. The servers generally have a trust relationship with the endpoints, which means malicious traffic coming from the servers look like internal traffic and abuse that relationship, Herberger said.

Earlier this week, researchers from Prolexic Technologies told SecurityWeek that it appeared as the attacking botnet contained many legitimate IP addresses, which made it harder to use anti-spoofing mechanisms to block the junk traffic. These legitimate IP addresses could support Radware’s claims that the attacking servers did, in fact, have a trust relationship on the network.

Further validating Radware’s claims, Prolexic told SecurityWeek just days ago that its team nad not observed any itsoknoproblembro botnets available for rent, and that the campaigns launched by itsoknoproblembro appear to have been the work of a small group of attackers.

“What we have is pretty interesting,” Herberger said.

Herberger admitted that Radware does not yet have a “comprehensive enough” profile of the attacking server, making it difficult for the team to describe which servers had already been compromised, how it spread, or the initial infection methods.

Advertisement. Scroll to continue reading.

While Radware does believe that the toolkit communicates with a remote command-and-control server, the team is still looking for more information about the remote server.

“We are not positive that it [DDos attack kit] is a bot,” Herberger said.

The infection point is also a big mystery, Herberger said. The types of attacks launched against the servers would be very different from typical malware scenario. For example, server attacks are not very likely to use an Adobe vulnerability in PDF files but rather use common “server-related” tactics such as going after PHP to infect the machine in the first place, Herberger said.

The fact that servers were compromised with itsoknoproblembro means that attackers hooked into “lots of horsepower,” Herberger said. Considering the attacks had a dramatic uptick with bandwidth, having the servers in a data center may have helped attackers hit the 60 to 70 GBps level in their attacks.

Radware’s Emergency Response Team also found a “private version” of the toolkit used in the attacks in Saudi Arabia, Herberger said. The term refers to the fact that this version was significantly different from the version originally seen in the wild and behind the banking DDoS attacks, Herberger said. This particular variant doesn’t “have the bells and whistles of the other version,” he said.

“It’s tough to tell what it is,” he added, as Radware hadn’t finished its investigation. It doesn’t have all the features the malware traditionally. It may be an earlier version of the itsoknoproblemobro toolkit, or a testing prototype, or just a variant intent on doing its own damage, Herberger said.

The fact that it was found in Saudi Arabia could have some implications but it’s not known what that would be at this time, Herberger said.

“It could just be that this version is one instance of all the compromised machines that are located in the Middle East, or the only machine that is based in the Middle East,” Herberger said.

Commenting on the discovery of the private version of “itsoknoproblembro” in Saudi Arabia, Radware says this does not mean that the attack was launched there, but it does show that there may be more servers infected by this malware around the world, and that these attacks may not yet be over.

Related: Sophisticated DDoS Toolkit Used in Recent Bank Cyber Attacks

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet