CERT- EE report: DDoS attacks, e- mail messages with forged sender address and defacements on 1-7 November 2013, aka #OpIndependence

Transcription

1 CERT- EE report: DDoS attacks, e- mail messages with forged sender address and defacements on 1-7 November 2013, aka #OpIndependence Introduction Chronology Scope and impact of incidents Attacks Recommendations Background information... 4 Conclusions... 4 Introduction At the beginning of November 2013 attackers hiding behind the mask of Anonymous Ukraine arranged a campaign called #OpIndependence at the same time as a NATO exercise. The attacks included DDoS attacks, defacements and the sending of forged messages in several European countries. The information systems of Estonian public institutions and businesses suffered no significant damage due to the attacks. The impact of the few hours of unavailability of the websites attacked was low. Recipients of the forged messages behaved responsively. The defacement case receiving wider attention once more stressed the importance of applying security patches to software. The conclusion drawn from the incidents is that implementing additional technical and organisational means must be considered, and not only by the institutions attacked. The lessons learned due to the incidents prove the need to renew agreements and collaboration procedures between public institutions and between recipients and providers of hosting services. 1. Chronology 0) Prologue: at an unspecified time a number of webpages were defaced in Ukraine, Russian compatriot portals and Poland, and a DoS attack against the European Investment Bank site was carried out. 1) A DoS attack against the kaitseministeerium.ee (Ministry of Defence) website was launched on at approximately The website of the Ministry of Defence failed to respond to the users requests during the attack. A message about the DoS attack was published on Twitter slightly before ten o clock. The posting referred to the information published on Pastebin, and the author of the posting used the name Anonymous Ukraine to hide his/her identity. Mass generation of TCP SYN sessions and HTTP GET requests were used during the attack, which lasted about 3 hours. 1

2 Activities The attack was detected by the Ministry of Defence, which implemented regular protection activities and contacted CERT-EE. CERT-EE started collecting additional information and monitoring information channels. A back-up plan was prepared. 2) A DoS attack against the mil.ee website was launched on at approximately The website of the Defence Forces failed to respond to the requests during the attack. Similarly to the previous attack the public was informed of it via Twitter twenty or thirty minutes after the attack started. Anonymous Ukraine was again the author of the posting. Mass generation of TCP SYN sessions and HTTP GET requests were used for the attack, similarly to the previous attack. The attack lasted about 3 hours. Activities The attack was detected by the Defence Forces, who contacted CERT-EE and their Internet service provider. Information was exchanged and a subsequent plan of action decided upon. 3) NATO CCD COE message campaign on at approximately Monday started with reports of strange messages seemingly sent from the NATO cyber security centre (NATO CCD COE). The messages informed the recipients that their information systems did not conform to the cyber security requirements of NATO. Misspelled English and obsolete NATO CCD COE logo were used in the messages. Several message header entries were forged in the messages, including the sender s address and sending server entries. The IP address (dvb35.srv.it.ge, ) of the server actually sending the messages refers to Georgia. Activities CERT-EE detected the sending of forged messages and collected information concerning circulation of these messages in Estonia and Europe. Reassuring messages about the event were distributed to Estonian institutions receiving the message. Distribution of around 150 messages was confirmed in Estonia; the actual number sent could be somewhat higher. Both Latvian and Lithuanian CERTs confirmed circulation of such messages in their countries. An attempt was made in co-operation with the Georgian CERT to access the server sending the messages. This attempt failed. Some time later it turned out reports about the attack had been sent to a foreign web publication from this IP address. The website of a Christian radio station was defaced in Latvia. The obsolete NATO CCD COE logo found in the forged messages was used on the site. The same logo was also used on a defaced Ukrainian site. 4) A DoS attack against ccdcoe.org was launched on at approximately The website of NATO CCD COE failed to respond to the requests during the attack. The NATO CCD COE website is hosted by Zone Meedia OÜ, the hosting service provider engaged in active attack protection, information collection and distribution activities throughout the attack. Activities The attack was carried out in several waves. The first wave involved congesting traffic with HTTP GET requests, followed by mass ICMP requests. After effective protection measures were taken the attackers changed their tactics and started using mass generation of TCP SYN sessions. These 2

3 were also fended off using effective protection measures, and the normal operation of the website was restored at approximately ) Defacement of Elron website on at The defaced website distributed misleading information starting from 13:07. At 13:24 web publications published reports on the website of the suburban rail services operator Elron being defaced. When investigating the case it turned out that modification of the information published on the website had started at 12:35 after the website was visited from a Chilean IP address (the defacer). The website was visited from this IP address for the first time in November. The offender obtained administrator rights to the website due to content management software missing security patches. He/she used the obtained rights to delete information and leave his/her own message in the newsfeed. The message used broken Estonian ( Rongide liikluses Eestis on peatatud ) and announced that rail traffic has been stopped in connection with the NATO Steadfast Jazz 2013 exercise proceeding at the same time. Activities Unauthorised modification of the website was detected by Elron. Elron modified their webpage at 14.01, leaving a message about the webpage being updated, and the timetables being available on the peatus.ee website. The website was restored from back-up on Elron will replace their website content engine with a new and more secure one. Elron has also agreed with their website administrator on a plan of action to be applied in similar situations in the future. In brief: 1) 2) 3) 4) 5) from 9.20 to DoS attack against kaitseministeerium.ee (MoD) website from to DoS attack against mil.ee website at forged NATO CCD COE messages from to DoS attack against ccdcoe.org website at defacement of elron.ee website 2. Scope and impact of incidents 1) The kaitseministeerium.ee, mil.ee and ccdcoe.org websites did not respond to visitors requests during the attacks. 2) Over 100 recipients in the public ins 3) titutions of Estonia received messages with forged headers and sender s addresses (NATO CCD COE). The total number of such messages received in Estonia may have exceeded 150. Latvian, Lithuanian and Polish recipients also received these messages. 4) The Elron webpage was broken into and its newsfeed entries modified to distribute misleading information about rail traffic being stopped due to a NATO exercise. This incident was uncovered quickly and the owner of the website was able to respond to the incident relatively rapidly. Latvian and Ukrainian websites were also broken into. None of the websites that were successfully attacked contained sensitive information, but successful exploitation of this method draws attention to certain shortcomings. 5) The employees of the institutions attacked were busy with attack protection and notification activities. 6) Information about the attack reached both the Estonian and international media. The information published was somewhat misleading as it did not distinguish between the attacks (DoS attacks vs break-ins to websites), while forging information (for example forged header rows in the messages) provided room for misinterpretation. 3

4 3. Attacks Distributed denial of service attacks was used in the case of all DoS attacks (kaitseministeerium.ee, mil.ee and ccdcoe.org). As the attacks originated from thousands of IP addresses, rented robot networks or botnets were likely used for the attack, whose period of use seems to be around 3 hours for all of the attacks. Attack methods and attackers ICMP DoS attack and SYN flood over TCP to port 80, combined with HTTP GET requests were mostly used. There is no sign of protracted HTTP session technologies having been used. The sender s IP address can be forged for ICMP DoS attacks and SYN floods, therefore only those having sent HTTP GET requests have been analysed. 312 IP addresses coincided for all three attacks. The robot network IP addresses mostly originated from Kazakhstan, Kenya and Thailand. In the case of defacement, websites using unsecured content management software were broken into in Estonia and elsewhere. 4. Recommendations For institutions 1) Review your information asset mapping and the technical platforms of nodes likely to be attacked and consider making changes to minimise the impact of attacks on essential services. 2) Specify and/or check procedures for DoS attack communication and applying back-up solutions between the owner of the website and the hosting and/or Internet service provider. 3) Implement an information security management framework suitable for your institution. In Estonia as a whole 1) Propagate implementing SPF (Sender Policy Framework framework for verifying the sender of ) in mail servers and our Internet domains. 2) Engage even more intensively in explaining the need to update software. Consider applying sanctions to owners of systems not updated for a long time. 3) Use the lessons learned from the attacks when arranging exercises. 4) Ensure the number of professionals responsible for institutions information systems and that their skills are in accordance with how much the work of the institution/business depends on these information systems. 5. Background information Collective exercise Steadfast Jazz 2013 was conducted in Europe by NATO from 2 to 9 November 2013, with 6000 servicemen from 18 Member States participating. Ukrainian servicemen were also taking part. Ukraine and the European Union were getting ready to sign an association agreement at the same time. During the #OpIndependence campaign incidents also occurred in other European countries participating in the NATO exercise and supporting closer relations between Ukraine and the European Union. Attacks on the websites of the Estonian Ministry of Defence and Defence Forces were preceded by the defacement of Polish websites and the Russian compatriot portal in Ukraine, as well a DoS attack on the website of the European Investment Bank. Forged messages from NATO CCD COE were also received in Latvia, Lithuania and Poland, while the website of a Latvian Christian radio station and several websites of the Ukrainian government were broken into on the same day and a similar forged message announcing a NATO audit was posted. Conclusions 4

5 The attacks performed during the #op event of 2013 were not complex and their impact was low. The attacks were, however, performed in a planned manner, probably using rented robot networks. The basic objective of the attackers was to gain public attention. This objective was achieved. Although no serious damage was caused during the incidents, #opindependence proves the utmost importance of having updated software and proper recovery plans in place for all kinds of information systems, including websites. To ensure the smooth application of recovery plans, implementation of the plans must be practised from time to time. 5