The threats list below is a central place for threats and
alerts related to network and application security. In particular, we are
monitoring DDoS trends and tools, announced attacks on IRC channels, social
media and other attackers' communication channels.
AnonGhost – A hacking group affiliated with Anonymous announced a new cyber-attack campaign against US websites named #OPUSA, scheduled for May 7th, 2013.
The planned attack follows a similar attack campaign organized by AnonGhost that took place exactly one month earlier – on Apr 7th, 2013 and was launched against Israeli web sites (aka OPISRAEL).
Similar to OPISRAEL, several cyber hacking groups, including Anonymous, have announced their participation in the upcoming attack. One noticeable group, although not yet confirmed, is Izz ad-Din al-Qassam cyber fighters, which is considered to be responsible for the recent attacks on American banks and financial institutions.
Dozens of U.S based sites have been already defaced, mainly to validate the threats made so far. As in past campaigns, it is expected the initial attacks will involve web site defacement of poorly protected sites. Once the campaign gains publicity and enrolls additional attackers, we can expect coordinated DDoS attacks to start taking place. The various groups participating in #OPUSA have published the attack targets, tools and techniques on several sites. The following is a summary of the information gathered from these sites.
Though larger lists of attack tools were published, we expect these attack tools to be the most frequently used in OPUSA:
The DDoS attack vectors most expected from the attacks tools include:
US government sites are the main target of the OPUSA attack:
Secondary attack targets include a long list of US (and US located) financial web sites.
During the past week we noticed an abnormal increase of brute force attacks targeting WordPress applications.
The attacks use automated scripts that attempt to login to WordPress default admin page using common usernames and passwords.
The brute force attacks originate from a large number of sources consisting of both legitimate web servers and private home computers. Several reports have been published which have positively identified almost 90,000 attacking sources.
Once a username and password is successfully guessed by the attacking script, it uses the gained admin credentials to upload a malicious script to the compromised server.
While many of the brute force attempts were unsuccessful in guessing the admin credentials, the high volume of the attacks has caused excessive resource utilization to the servers hosting the WordPress applications, resulting in unresponsiveness to legitimate users for the duration of the attack.
In order to mitigate the attack, WordPress servers are encouraged to use the following preventive measures:
Radware AppWall can block these brute force attacks by detecting multiple unsuccessful login attempts to the WordPress login page originating from the same source in a short time period. The malicious sources can then be suspended or blocked for configurable timeframes.
Additionally, in scenarios where shared IP`s are used (i.e proxy servers), a Throttling policy can also be applied in order to allow legitimate users to access the login page while effectively blocking malicious requests originating from that same IP address.
Various anti-Israeli hacking groups join hands to launch a massive cyber attack on Israeli cyber space with the aim to disconnect the country from the Internet.
AnonGhost, one of the campaign central initiators, indicated that they will initiate the attack on the 7th of April.
"It’s gonna be the biggest operation ever launched against any country, it’s gonna be huge!"
The Incentive (as published here https://www.facebook.com/photo.php?fbid=500820503288482&l=332f6d8c02.)
"Since then Israel has not stopped expanding its settlements onto Palestinian land.
Palestinians are being removed from their homes so Israel can build Jewish only homes on their land.
The Zionist do this based on a claim that they are Gods chosen people and that God has promised them this land.
They claim their ancestors lived there thousands of years before so they have the right to remove the people living there today.
The racism and ethnic cleansing is unacceptable yet the Zionist do this under the guise of democracy, while at the same time using modern media to look like the victims,
they say they are defending themselves from suicide bombers and terrorists. The truth is they are defending themselves against a desperate population that they are crushing and occupying.
What Zionists refer to as terrorists are in actual fact just resistance, fighting extermination."
Groups & Hackers Involved in the Cyber Attack
Attack Campaign Specific Targets
Although not published formally, according to past actions taken by some of the hackers it seems like the April 7th attack will be focused on government sites,
Microsoft & Google Israel as well as Israeli Banks.
Published Attack Vectors
We assume that the attack will utilize both a DDoS attack methods and web site defacements. Each attacker's team will try to create maximum damage based on its knowledge and capabilities.
To achieve the goal of the threat which is "a total blackout", it is possible that a massive DNS attack on root Israeli domain servers will occur.
Published DoS Attack Tools
Mobile Low Orbit Ion Canon (LOIC)
Mobile LOIC is the online web version of LOIC. It is a Java script-based HTTP DoS tool that is delivered within an HTML page, consisting of a simple 100 lines of code that executes-loop generating web requests. It has very few options and can only conduct HTTP floods. It is possible to append text with an appropriately revolutionary message.
Unlike its PC counterpart LOIC, it does not support more complex options, including randomization of URLs and remote control by IRC botnets (“the hive”). This tool is flexible because it can run on various browsers and accessed remotely. Normally attack organizers post a URL for the website hosting the page and invite others to use the tool to attack the specified target. The HTML page may be hosted on a website and as only a web browser is required, an attacker can even use a smart phone to generate an attack.
Mobile LOIC is very simple to operate since it needs only three configurable parameters:
This tool allows a single computer to knock web servers offline by targeting a well-known weakness in secure sockets layer implementations. All it takes is one computer with a simple Internet connection to use this tool to successfully attack. This is possible because the attack is asymmetric i.e., the single client request can cause the server to invest up to 15 times more resources.
SSL is generally used to prevent sensitive data from being monitored while the data travels between servers or between servers and end-users. This is done by establishing a secure channel in a process called the SSL handshake. This CPU-consuming SSL handshake is only done once, and servers are not prepared to handle large numbers of them. The protocol, however, has a ‘renegotiation’ option that is used to establish a new secret key.
The THC-SSL-DoS tool attacks the server by creating a situation known as SSL exhaustion, in which it renegotiates the keys again and again. Here is where the attack is asymmetric – the renegotiation requires the server to invest 15 times more effort from the CPU than from the attacker. Even if the server does not support the ‘renegotiation’ option, the attacker can alternatively open fresh SSL connections to cause the same affect. The attack, however, can be detected when it is noticed that there are too many SSL handshakes in a short period of time.
Design flaws, bugs or any other weakness found in programs, servers, applications or other network elements.
Alerts on possible upcoming network and/or application attacks, tracked by ongoing monitoring of hackers’ forms of communication (IRC, Twitter, Youtube, etc.)
Network and/or application attack tool or malware
We value your opinion! Please take a few moments to provide feedback or suggest additional content.
Under attack? Contact our experts 24*7 to get emergency assistance by dialing one of the toll free numbers available in the list below and provide the code “REDBUTTON” to the support engineers.
Be prepared to face cyber attacks with Radware’s attack mitigation system.
Radware is a leading security solutions provider offering a full spectrum Attack Mitigation System (AMS) comprised of award-winning products DefensePro, AppWall and Vision as well as the top-expert Emergency response team service.