CERT- EE report: DDoS attacks, e- mail messages with forged sender address and defacements on 1-7 November 2013, aka #OpIndependence

Similar documents
Estonia 2007 Cyberattakcs

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Quality Certificate for Kaspersky DDoS Prevention Software

How To Perform A Large Scale Attack On A Large Network

Denial of Service Attacks

CERT-GOV-GE Activities & Services

TLP WHITE. Denial of service attacks: what you need to know

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

CERT-GOV-GE Activities & International Partnerships

CloudFlare advanced DDoS protection

How To Perform A Large Scale Attack On A Large Computer System

Four Steps to Defeat a DDoS Attack

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Seminar Computer Security

Acquia Cloud Edge Protect Powered by CloudFlare

PROFESSIONAL SECURITY SYSTEMS

Abstract. Introduction. Section I. What is Denial of Service Attack?

Comprehensive Anti-Spam Service

Firewalls and Intrusion Detection

OVERVIEW BY THE US-CCU OF THE CYBER CAMPAIGN AGAINST GEORGIA

CS 356 Lecture 16 Denial of Service. Spring 2013

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

SUMMARY OF THE ESTONIAN INFORMATION SYSTEM S AUTHORITY ON ENSURING CYBER SECURITY IN 2012

Locked Shields Kaur Kasak 24 Sept 2013

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

ERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013

Protection against DDoS and WEB attacks. Michael Soukonnik Radware Ltd

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Information Security Basic Concepts

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Distributed Denial of Service Attacks

CERT's role in national Cyber Security: policy suggestions

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

2010 Carnegie Mellon University. Malware and Malicious Traffic

Acceptable Use Policy. This Acceptable Use Policy sets out the prohibited actions by a Registrant or User of every registered.bayern Domain Name.

DoS/DDoS Attacks and Protection on VoIP/UC

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

10. Exercise: Automation in Incident Handling

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Four Steps to Defeat a DDoS Attack

Network Bandwidth Denial of Service (DoS)

Strategies to Protect Against Distributed Denial of Service (DD

SHARED WEB AND MAIL HOSTING SERVICE LEVEL AGREEMENT (SLA) 2010

Additional services are also available according to your specific plan configuration.

Secure Software Programming and Vulnerability Analysis

Lith Networking and Network Marketing Safety

DDoS Overview and Incident Response Guide. July 2014

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Current Threat Scenario and Recent Attack Trends

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

Network attack and defense

RL Solutions Hosting Service Level Agreement

How To Block A Ddos Attack On A Network With A Firewall

Stop DDoS Attacks in Minutes

A Decision Maker s Guide to Securing an IT Infrastructure

UNCLASSIFIED. General Enquiries. Incidents Incidents

Acceptable Use Policy

Protecting Your Organisation from Targeted Cyber Intrusion

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

DATA SECURITY POLICY. Data Security Policy

HOSTEDMIDEX.CO.UK. Additional services are also available according to Client specific plan configuration.

How To Mitigate A Ddos Attack

dfence: Transparent Network-based Denial of Service Mitigation

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

D m i t r y S l i n k o v, C I S M SWISS C Y B E R S TO R M Black market of cybercrime in Russia

Four Steps to Defeat a DDoS Attack

Additional Security Considerations and Controls for Virtual Private Networks

DDoS Protection on the Security Gateway

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Configuring Security for SMTP Traffic

Kaspersky Lab. Contents

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

How To Protect Your Network From Attack From A Hacker On A University Server

Limiting the Damage from a Denial of Service Attack

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

DDoS Attack and Its Defense

Legal Issues / Estonia Cyber Incident

Executive Suite Series An Akamai White Paper

First Line of Defense

Managed VPSv3 Firewall Supplement

Hybrid Warfare & Cyber Defence

Network security policy issues. Ilias Chantzos, Director EMEA & APJ NIS Summer School 2008, Crete, Greece

CSIRT Introduction to Security Incident Handling

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Broadband Acceptable Use Policy

How Cisco IT Protects Against Distributed Denial of Service Attacks

Denial of Service (DoS) Technical Primer

SPECIFIC TERMS AND CONDITIONS ON THE RENTAL OF A DEDICATED SERVER

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

CHAPTER 2: CASE STUDY SPEAR-PHISHING CAMPAIGN GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CERT Collaboration with ISP to Enhance Cybersecurity Jinhyun CHO, KrCERT/CC Korea Internet & Security Agency

1. Firewall Configuration

Transcription:

CERT- EE report: DDoS attacks, e- mail messages with forged sender address and defacements on 1-7 November 2013, aka #OpIndependence Introduction... 1 1. Chronology... 1 2. Scope and impact of incidents... 3 3. Attacks... 4 4. Recommendations... 4 5. Background information... 4 Conclusions... 4 Introduction At the beginning of November 2013 attackers hiding behind the mask of Anonymous Ukraine arranged a campaign called #OpIndependence at the same time as a NATO exercise. The attacks included DDoS attacks, defacements and the sending of forged e-mail messages in several European countries. The information systems of Estonian public institutions and businesses suffered no significant damage due to the attacks. The impact of the few hours of unavailability of the websites attacked was low. Recipients of the forged e-mail messages behaved responsively. The defacement case receiving wider attention once more stressed the importance of applying security patches to software. The conclusion drawn from the incidents is that implementing additional technical and organisational means must be considered, and not only by the institutions attacked. The lessons learned due to the incidents prove the need to renew agreements and collaboration procedures between public institutions and between recipients and providers of hosting services. 1. Chronology 0) Prologue: at an unspecified time a number of webpages were defaced in Ukraine, Russian compatriot portals and Poland, and a DoS attack against the European Investment Bank site was carried out. 1) A DoS attack against the kaitseministeerium.ee (Ministry of Defence) website was launched on 01.11.2013 at approximately 9.20. The website of the Ministry of Defence failed to respond to the users requests during the attack. A message about the DoS attack was published on Twitter slightly before ten o clock. The posting referred to the information published on Pastebin, and the author of the posting used the name Anonymous Ukraine to hide his/her identity. Mass generation of TCP SYN sessions and HTTP GET requests were used during the attack, which lasted about 3 hours. 1

Activities The attack was detected by the Ministry of Defence, which implemented regular protection activities and contacted CERT-EE. CERT-EE started collecting additional information and monitoring information channels. A back-up plan was prepared. 2) A DoS attack against the mil.ee website was launched on 01.11.2013 at approximately 12.45. The website of the Defence Forces failed to respond to the requests during the attack. Similarly to the previous attack the public was informed of it via Twitter twenty or thirty minutes after the attack started. Anonymous Ukraine was again the author of the posting. Mass generation of TCP SYN sessions and HTTP GET requests were used for the attack, similarly to the previous attack. The attack lasted about 3 hours. Activities The attack was detected by the Defence Forces, who contacted CERT-EE and their Internet service provider. Information was exchanged and a subsequent plan of action decided upon. 3) NATO CCD COE e-mail message campaign on 04.11.2013 at approximately 12.00 Monday started with reports of strange e-mail messages seemingly sent from the NATO cyber security centre (NATO CCD COE). The e-mail messages informed the recipients that their information systems did not conform to the cyber security requirements of NATO. Misspelled English and obsolete NATO CCD COE logo were used in the messages. Several message header entries were forged in the messages, including the sender s address and sending server entries. The IP address (dvb35.srv.it.ge, 213.157.216.139) of the server actually sending the messages refers to Georgia. Activities CERT-EE detected the sending of forged messages and collected information concerning circulation of these e-mail messages in Estonia and Europe. Reassuring messages about the event were distributed to Estonian institutions receiving the e-mail message. Distribution of around 150 e-mail messages was confirmed in Estonia; the actual number sent could be somewhat higher. Both Latvian and Lithuanian CERTs confirmed circulation of such e-mail messages in their countries. An attempt was made in co-operation with the Georgian CERT to access the server sending the messages. This attempt failed. Some time later it turned out reports about the attack had been sent to a foreign web publication from this IP address. The website of a Christian radio station was defaced in Latvia. The obsolete NATO CCD COE logo found in the forged e-mail messages was used on the site. The same logo was also used on a defaced Ukrainian site. 4) A DoS attack against ccdcoe.org was launched on 07.11.2013 at approximately 12.20. The website of NATO CCD COE failed to respond to the requests during the attack. The NATO CCD COE website is hosted by Zone Meedia OÜ, the hosting service provider engaged in active attack protection, information collection and distribution activities throughout the attack. Activities The attack was carried out in several waves. The first wave involved congesting traffic with HTTP GET requests, followed by mass ICMP requests. After effective protection measures were taken the attackers changed their tactics and started using mass generation of TCP SYN sessions. These 2

were also fended off using effective protection measures, and the normal operation of the website was restored at approximately 15.25. 5) Defacement of Elron website on 07.11.2013 at 12.35. The defaced website distributed misleading information starting from 13:07. At 13:24 web publications published reports on the website of the suburban rail services operator Elron being defaced. When investigating the case it turned out that modification of the information published on the website had started at 12:35 after the website was visited from a Chilean IP address 200.73.13.22 (the defacer). The website was visited from this IP address for the first time in November. The offender obtained administrator rights to the website due to content management software missing security patches. He/she used the obtained rights to delete information and leave his/her own message in the newsfeed. The message used broken Estonian ( Rongide liikluses Eestis on peatatud ) and announced that rail traffic has been stopped in connection with the NATO Steadfast Jazz 2013 exercise proceeding at the same time. Activities Unauthorised modification of the website was detected by Elron. Elron modified their webpage at 14.01, leaving a message about the webpage being updated, and the timetables being available on the peatus.ee website. The website was restored from back-up on 08.11. Elron will replace their website content engine with a new and more secure one. Elron has also agreed with their website administrator on a plan of action to be applied in similar situations in the future. In brief: 1) 2) 3) 4) 5) 01.11.2013 from 9.20 to 12.35 DoS attack against kaitseministeerium.ee (MoD) website 01.11.2013 from 12.45 to 15.50 DoS attack against mil.ee website 04.11.2013 at 12.00 forged NATO CCD COE e-mail messages 07.11.2013 from 12.20 to 15.25 DoS attack against ccdcoe.org website 07.11.2013 at 12.43 defacement of elron.ee website 2. Scope and impact of incidents 1) The kaitseministeerium.ee, mil.ee and ccdcoe.org websites did not respond to visitors requests during the attacks. 2) Over 100 recipients in the public ins 3) titutions of Estonia received e-mail messages with forged headers and sender s addresses (NATO CCD COE). The total number of such e-mail messages received in Estonia may have exceeded 150. Latvian, Lithuanian and Polish recipients also received these e-mail messages. 4) The Elron webpage was broken into and its newsfeed entries modified to distribute misleading information about rail traffic being stopped due to a NATO exercise. This incident was uncovered quickly and the owner of the website was able to respond to the incident relatively rapidly. Latvian and Ukrainian websites were also broken into. None of the websites that were successfully attacked contained sensitive information, but successful exploitation of this method draws attention to certain shortcomings. 5) The employees of the institutions attacked were busy with attack protection and notification activities. 6) Information about the attack reached both the Estonian and international media. The information published was somewhat misleading as it did not distinguish between the attacks (DoS attacks vs break-ins to websites), while forging information (for example forged header rows in the email messages) provided room for misinterpretation. 3

3. Attacks Distributed denial of service attacks was used in the case of all DoS attacks (kaitseministeerium.ee, mil.ee and ccdcoe.org). As the attacks originated from thousands of IP addresses, rented robot networks or botnets were likely used for the attack, whose period of use seems to be around 3 hours for all of the attacks. Attack methods and attackers ICMP DoS attack and SYN flood over TCP to port 80, combined with HTTP GET requests were mostly used. There is no sign of protracted HTTP session technologies having been used. The sender s IP address can be forged for ICMP DoS attacks and SYN floods, therefore only those having sent HTTP GET requests have been analysed. 312 IP addresses coincided for all three attacks. The robot network IP addresses mostly originated from Kazakhstan, Kenya and Thailand. In the case of defacement, websites using unsecured content management software were broken into in Estonia and elsewhere. 4. Recommendations For institutions 1) Review your information asset mapping and the technical platforms of nodes likely to be attacked and consider making changes to minimise the impact of attacks on essential services. 2) Specify and/or check procedures for DoS attack communication and applying back-up solutions between the owner of the website and the hosting and/or Internet service provider. 3) Implement an information security management framework suitable for your institution. In Estonia as a whole 1) Propagate implementing SPF (Sender Policy Framework framework for verifying the sender of e-mail) in mail servers and our Internet domains. 2) Engage even more intensively in explaining the need to update software. Consider applying sanctions to owners of systems not updated for a long time. 3) Use the lessons learned from the attacks when arranging exercises. 4) Ensure the number of professionals responsible for institutions information systems and that their skills are in accordance with how much the work of the institution/business depends on these information systems. 5. Background information Collective exercise Steadfast Jazz 2013 was conducted in Europe by NATO from 2 to 9 November 2013, with 6000 servicemen from 18 Member States participating. Ukrainian servicemen were also taking part. Ukraine and the European Union were getting ready to sign an association agreement at the same time. During the #OpIndependence campaign incidents also occurred in other European countries participating in the NATO exercise and supporting closer relations between Ukraine and the European Union. Attacks on the websites of the Estonian Ministry of Defence and Defence Forces were preceded by the defacement of Polish websites and the Russian compatriot portal in Ukraine, as well a DoS attack on the website of the European Investment Bank. Forged e-mail messages from NATO CCD COE were also received in Latvia, Lithuania and Poland, while the website of a Latvian Christian radio station and several websites of the Ukrainian government were broken into on the same day and a similar forged message announcing a NATO audit was posted. Conclusions 4

The attacks performed during the #op event of 2013 were not complex and their impact was low. The attacks were, however, performed in a planned manner, probably using rented robot networks. The basic objective of the attackers was to gain public attention. This objective was achieved. Although no serious damage was caused during the incidents, #opindependence proves the utmost importance of having updated software and proper recovery plans in place for all kinds of information systems, including websites. To ensure the smooth application of recovery plans, implementation of the plans must be practised from time to time. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information