CyberWire Daily - Could REvil have a copycat? [Research Saturday]
Episode Date: July 2, 2022Larry Cashdollar from Akamai, joins Dave to discuss their research on a DDoS campaign claiming to be REvil. The research shares that Akamai's team was notified last week of an attack on one of their h...ospitality customers that they called "Layer 7" by a group claiming to be associated with REvil. In the research, they dive into the attack, as well as comparing it to other similar attacks that have been made by the group. The research states "The attacks so far target a site by sending a wave of HTTP/2 GET requests with some cache-busting techniques to overwhelm the website." It also stated that this is a smaller attack than they have seen by the group before, and notes that there seems to be more of a political agenda behind the attack, whereas in the past, REvil has been less political. The research can be found here: REvil Resurgence? Or a Copycat? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We were notified by one of our customers, they were seeing an attack that had a specific message in the attack traffic, which drew their attention.
That's Larry Kaschdaller. He's a principal security intelligence response engineer at Akamai Technologies.
The research we're discussing today is titled, Are Evil Resurgents or a Copycat?
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches
continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024. These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and
IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization
with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And they asked the cert to investigate,
so I hopped on a call with them,
and we were looking at the attack traffic,
and it's not stuff that we normally see
you know typically um the type of attack traffic we see is just more it's not so specific but but
the requests were had a specific message which is kind of uncommon um and the message was part of
the path in the get request uh for hdp so So we thought that was kind of unique and interesting,
so we investigated further,
and that's pretty much how we ended up writing up this blog post.
Yeah. Well, let's walk through it together.
Can you give us some of the details about the attack itself?
Sure. The attack was originating from widely distributed IP ranges.
So these IP addresses were in U.S. territory.
They were in Argentina, Brazil, the U.K., Russia, Iran.
They were just really widely distributed across the globe.
across the globe.
And initially, you know, we thought it's likely going to be either infected IoT devices or proxy servers.
And upon investigating further, we noticed that these IP addresses were MicroTik routers,
a lot of them, which was part of the Meris botnet.
which was part of the Meris botnet a few, what was it, months ago?
I believe that the Meris botnet was utilizing MicroTik routers to proxy attack traffic through.
Thinking of this, we thought perhaps it was someone utilizing part of the Meris botnet,
but we couldn't really prove that. If somebody was either borrowing a part of it or just reusing the devices that Meris had used.
It was unclear to us during the investigation.
The attack itself was pretty simple.
It was a GET request, and as I had mentioned earlier, the path in the GET request had a specific message for our customer to comply with a certain demand and then provide some Bitcoin in order for the attack to stop.
The attack itself wasn't very sophisticated.
They were using some cache busting techniques where the query string in the get request was like an eight randomized character string.
And that's something where when a web server or a caching web server sees the request, it thinks it's unique and it doesn't try and pull it from cache.
It tries to pull it from the origin directly, increasing load on the origin server and bypassing any load balancing or caching systems.
So it wasn't a super sophisticated attack, yet it wasn't a very sophisticated attack.
It was sort of low level and with basic just attack techniques.
We noticed that the user agent string was also the same. It was the same user agent string across all IP addresses
that were attacking the system.
So that was another interesting tidbit that we noticed
that it was unique in that fashion too.
Usually they use different user agent strings and things like that.
R-Evil is not generally known for DDoS attacks. I mean, they're kind of famous
for being a ransomware as a service organization. So did that throw into question the plausibility
of this being from them? We kind of question that because we don't know if they were attempting to
pivot into a different monetization method because typically, as you mentioned,
they use ransomware.
They're the ransomware as a service
and there's no ransomware present in this attack.
So we're not sure if they're trying a new model
of making money
or if there's actually someone,
a copycat attacker,
who is attempting to piggyback on their notoriety.
You know, folks are aware are evil and they've been in the news and, you know, this adversary
could be attempting to use their publicity to threaten and intimidate the target. So we're
not exactly sure which one it is,
but it's definitely something of interest.
Kind of a Dread Pirate Roberts situation
where the name is important, right?
Right.
What about the messaging that you said
was in the headers themselves?
I mean, the specificity of that,
that strikes me as being interesting in itself.
Yes, it was.
The message was asking for compliance against a specific court order.
And it had something to do with a government court order.
And it was very political, which isn't like anything we've seen from our Eagle before.
So it was something that was not, it didn't seem like it was something that would be in their wheelhouse.
So again, we weren't sure if somebody was just attempting to use their notoriety to get their message across or get their demands met or what.
So it was still unclear.
What about the DDoSing itself?
I mean, what level of traffic are we talking about here?
We saw at peak it was about 15,000 requests per second,
which isn't super high.
It's not insignificant, but it's, you know,
the Meris botnet was producing way more traffic than that.
So this didn't seem like it was a full-bore capability of the Maris botnet.
This seemed like it was either somebody building on top of the vulnerable devices or, as I had mentioned earlier,
were using part of a botnet that they might have either purchased or possibly got permission to use.
We're not exactly sure, but it wasn't a big amount of attack traffic.
Well, how long did it last and what sort of things did your customer do to parry against it?
were due to parry against it?
The attack lasted about an hour,
and then there was a small burst of traffic after that attack that was less significant
than the first attack.
And then the attack disappeared,
and we didn't see any more traffic after that.
The customers, our systems,
the rate controls were handling it,
so because of the initial burst, our systems were able to just ignore the attack traffic
and the customer was able to say, hey, what's going on?
Why are we seeing this?
And they were able to further pivot and fix their or shore up their defenses in case another more intense attack occurred.
Where do we stand right now when it comes to being able to do that sort of thing,
to defend against these sorts of DDoS attacks?
Is it becoming almost routine to be able to have this not really have a great effect on organizations if they're properly prepared?
not really have a great effect on organizations if they're properly prepared?
Yes. If organizations can prepare for this type of attack in advance, then they likely won't even notice the attack traffic. Unless they're checking their web traffic logs and things like that,
they probably won't even notice. So it's always a good idea to try and shore up your defenses before you
find out that you should have shored them up and then you get an attack and then suddenly your
origin server's down or your backend database is crashed because of so many connections to your
website. So what are your recommendations for organizations then to properly prepare themselves against the possibility of this sort of thing?
I would definitely look at having your, if your website, if you think you might be a target or you expect to be, you know, handling a lot of traffic, then look at, you know, content delivery networks such as Akamai or definitely have load balancing, traffic filtering, things like that.
You know, if you're only expecting inbound traffic on port 80 and 443 for web traffic,
then why would you allow UDP traffic on port 53 for DNS on your network? You know, it's making
sure that your systems are locked down and, you know,
the traffic that you're expecting
is allowed in
and anything unknown
or is odd
is automatically blocked
by your defense system.
Our thanks to Larry Cashdaller from Akamai for joining us.
The research is titled, Are Evil Resurgence or a Copycat? We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.