In January, Incapsula released analysis showing how infected webservers were being used in order to elevate broader attacks, such as DDoS campaigns, which we have recently witnessed targeting the banking industry.
Today, ThreatPost released an article discussing the recent rise of DDoS against US Banks. Some banks were reported to suffer service disruption ( via sitedown ). This follows a warning issued by the Qassam Cyber Fighters hacktivist group, claiming it will disrupt US Banks operations as part of “Operation Ababil.”
Denial of Service (DoS) attacks are technical attacks that are focused on consuming the resources of a server/service, which prevents it from serving more legitimate users of that specific service. This is done either by consuming the available network bandwidth, or in the application age, by consuming the actual application resources. These attacks usually require many machines addressing the service in the same time to generate the load.
The Web Threat Angle
In the industrialized hacking age, where Hactivism has become talk of the day, hackers build botnets in order to coordinate such an attack from many computers. however, one of the easier way to create an effective bot-net, is by infecting a webserver instead of its users. this is due to the fact that althgough the infection effort may be the same, the actual attack requires far less machines due to the nature of webservers having a very large network pipe compared to normal users.
Now we are seeing itsoknoproblembro, which is one of the tools most used in the recent DDoS attacks against the US Banking industry, some peaking at 70 Gbps.
This tool is distributed mostly via a Remote File Inclusion (RFI) attack, planting a PHP worm on the server by including remote code, infecting the web server and adding it as a zombie to the bot-net. An RFI attack .
What does this teach us?
There are two problems that need to be dealt with here. One is the problem that the banks now deal with: the DDoS attacks themselves. The other is the infection vector of the malware via webservers.
The RFI vulnerability is the starting point that allows hackers to build the bot-net that eventually generates the DDoS attack. Since alongside spear-phishing, it enables one of the biggest ways for hackers to use web vulnerabilities to infect users/servers (webservers in this case) with DDoS-specific.
Interestingly enough, companies protected by Web Application Firewalls are capable of protecting themselves against RFI attacks and should be safe against this kind of infection, and from becoming an aid in the hands of hackers. And even though they do not suffer from the DDoS attack itself, by becoming the attacker machine, they suffer from bandwidth loss just as much, and of course a raputation risk.