Threats Library

AnonGhost – A hacking group affiliated with Anonymous announced a new cyber-attack campaign against US websites named #OPUSA, scheduled for May 7th, 2013.

The planned attack follows a similar attack campaign organized by AnonGhost that took place exactly one month earlier – on Apr 7th, 2013 and was launched against Israeli web sites (aka OPISRAEL).

Similar to OPISRAEL, several cyber hacking groups, including Anonymous, have announced their participation in the upcoming attack. One noticeable group, although not yet confirmed, is Izz ad-Din al-Qassam cyber fighters, which is considered to be responsible for the recent attacks on American banks and financial institutions.

Dozens of U.S based sites have been already defaced, mainly to validate the threats made so far. As in past campaigns, it is expected the initial attacks will involve web site defacement of poorly protected sites. Once the campaign gains publicity and enrolls additional attackers, we can expect coordinated DDoS attacks to start taking place. The various groups participating in #OPUSA have published the attack targets, tools and techniques on several sites. The following is a summary of the information gathered from these sites.

Attack Tools

Though larger lists of attack tools were published, we expect these attack tools to be the most frequently used in OPUSA:

• LOIC
• HOIC
• Mobile-LOIC \ JS-LOIC
• ByteDOS
• Slowloris
• R.U.D.Y
• Tor`s Hammer
• HULK
• Shell Booters

Attack Vectors

The DDoS attack vectors most expected from the attacks tools include:

• SYN Floods
• Out-Of-State floods
• Empty Connection Floods
• UDP Floods
• HTTP GET Floods
• Slow POST Floods
• Slow GET Floods
• ICMP floods
• DNS Query floods
• Reflected DNS floods

Attack Targets

US government sites are the main target of the OPUSA attack:

• www.defense.gov
• pentagontours.osd.mil
• www.pentagonchannel.mil
• www.archives.gov
• www.whs.mil
• www.nsa.gov
• nsa.nato.int
• www.fbi.gov
• www.whitehouse.gov

Secondary attack targets include a long list of US (and US located) financial web sites.

During the past week we noticed an abnormal increase of brute force attacks targeting WordPress applications. The attacks use automated scripts that attempt to login to WordPress default admin page using common usernames and passwords.

The brute force attacks originate from a large number of sources consisting of both legitimate web servers and private home computers. Several reports have been published which have positively identified almost 90,000 attacking sources.

Once a username and password is successfully guessed by the attacking script, it uses the gained admin credentials to upload a malicious script to the compromised server.

While many of the brute force attempts were unsuccessful in guessing the admin credentials, the high volume of the attacks has caused excessive resource utilization to the servers hosting the WordPress applications, resulting in unresponsiveness to legitimate users for the duration of the attack.

Mitigation Recommendation

In order to mitigate the attack, WordPress servers are encouraged to use the following preventive measures:

1. Enable WordPress ‘Two Step Authentication’.
2. Harden security of WordPress configurations.
3. Choose a complex and non-common password, since the attacks use common wordlists to perform the brute force

Radware DefensePro can use JavaScript Web Challenges to mitigate the attack. This method has been proven to be successful in dropping the automated brute force tools while allowing legitimate JavaScript compliant clients to access the site. (Note that it is important to verify that legitimate clients support JavaScript in order to prevent false positives).

Radware AppWall can block these brute force attacks by detecting multiple unsuccessful login attempts to the WordPress login page originating from the same source in a short time period. The malicious sources can then be suspended or blocked for configurable timeframes.

Additionally, in scenarios where shared IP`s are used (i.e proxy servers), a Throttling policy can also be applied in order to allow legitimate users to access the login page while effectively blocking malicious requests originating from that same IP address.

Various anti-Israeli hacking groups join hands to launch a massive cyber attack on Israeli cyber space with the aim to disconnect the country from the Internet. AnonGhost, one of the campaign central initiators, indicated that they will initiate the attack on the 7th of April.

"It’s gonna be the biggest operation ever launched against any country, it’s gonna be huge!"

The Incentive (as published here https://www.facebook.com/photo.php?fbid=500820503288482&l=332f6d8c02.)

"Since then Israel has not stopped expanding its settlements onto Palestinian land. Palestinians are being removed from their homes so Israel can build Jewish only homes on their land. The Zionist do this based on a claim that they are Gods chosen people and that God has promised them this land. They claim their ancestors lived there thousands of years before so they have the right to remove the people living there today. The racism and ethnic cleansing is unacceptable yet the Zionist do this under the guise of democracy, while at the same time using modern media to look like the victims, they say they are defending themselves from suicide bombers and terrorists. The truth is they are defending themselves against a desperate population that they are crushing and occupying. What Zionists refer to as terrorists are in actual fact just resistance, fighting extermination."

Groups & Hackers Involved in the Cyber Attack

• AnonGhost
• Algerian Hackers
• Mauritania HaCker Team
• Ajax Team
• MLA
• Moroccan Hackerz
• Gaza Hacker Team & Gaza Security Team
• Anonymous Syria
• ZHC
• The Hacker Army
• X-BLACKERZ INC
• Devil Zone Team
• Moroccan Hackers

Attack Campaign Specific Targets

Although not published formally, according to past actions taken by some of the hackers it seems like the April 7th attack will be focused on government sites, Microsoft & Google Israel as well as Israeli Banks.

Published Attack Vectors

We assume that the attack will utilize both a DDoS attack methods and web site defacements. Each attacker's team will try to create maximum damage based on its knowledge and capabilities. To achieve the goal of the threat which is "a total blackout", it is possible that a massive DNS attack on root Israeli domain servers will occur.

Published DoS Attack Tools

• pyloris
• ByteDos

Mobile LOIC is the online web version of LOIC. It is a Java script-based HTTP DoS tool that is delivered within an HTML page, consisting of a simple 100 lines of code that executes-loop generating web requests. It has very few options and can only conduct HTTP floods. It is possible to append text with an appropriately revolutionary message.

Unlike its PC counterpart LOIC, it does not support more complex options, including randomization of URLs and remote control by IRC botnets (“the hive”). This tool is flexible because it can run on various browsers and accessed remotely. Normally attack organizers post a URL for the website hosting the page and invite others to use the tool to attack the specified target. The HTML page may be hosted on a website and as only a web browser is required, an attacker can even use a smart phone to generate an attack.

Mobile LOIC is very simple to operate since it needs only three configurable parameters:

• Target URL - specifies the URL of the attacked target. Must start with http://
• Requests per second - specifies the number of desired requests to be sent per second
• Append message - specifies the content for the message parameter to be sent within the URL of HTTP requests

This tool allows a single computer to knock web servers offline by targeting a well-known weakness in secure sockets layer implementations. All it takes is one computer with a simple Internet connection to use this tool to successfully attack. This is possible because the attack is asymmetric i.e., the single client request can cause the server to invest up to 15 times more resources.

SSL is generally used to prevent sensitive data from being monitored while the data travels between servers or between servers and end-users. This is done by establishing a secure channel in a process called the SSL handshake. This CPU-consuming SSL handshake is only done once, and servers are not prepared to handle large numbers of them. The protocol, however, has a ‘renegotiation’ option that is used to establish a new secret key.

The THC-SSL-DoS tool attacks the server by creating a situation known as SSL exhaustion, in which it renegotiates the keys again and again. Here is where the attack is asymmetric – the renegotiation requires the server to invest 15 times more effort from the CPU than from the attacker. Even if the server does not support the ‘renegotiation’ option, the attacker can alternatively open fresh SSL connections to cause the same affect. The attack, however, can be detected when it is noticed that there are too many SSL handshakes in a short period of time.