Authorities may be one step closer to uncovering the mechanisms behind the spate of Distributed Denial of Service (DDoS) attacks plaguing the websites of major U.S. financial institutions which began in mid-September of last year. Researchers from Incapsula, a cloud-based website enhancement service, discovered that a recently contracted client’s server may have been part of a botnet-for-hire used in DDoS attacks against at least three of the nearly one-dozen banks being targeted by the extremist group Izz ad-Din al-Qassam Cyber Fighters in what has been dubbed Operation Ababil.
The client, which maintained a seemingly innocuous website in the United Kingdom, first drew the attention of the company’s security team after they noted a high number of server requests which included an encoded PHP payload.
“A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot – an unwilling foot soldier in a DDOS army,” wrote Incapsula’s Ronen Atias. “The backdoor was instructed to launch HTTP and UDP flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank.”
Atias says his company’s service was able to immediately block the instructions issued by the botnet’s command and control (C&C) server, which was traced to Turkish website design company, and that they believe the attempted attack was of a magnitude capable of interrupting an “average medium-sized website.”
After further investigation, the team was able to determine that the compromised U.K. website was likely hacked because the site administrator had used extremely weak authentication credentials – specifically the username and password combination admin / admin.
Analysis of the intercepted C&C commands revealed that the attacks were on a set schedule with limited durations ranging from as little as seven minutes to as long as one hour, and that the compromised server was also instructed to shift targets to “attack unrelated commercial and e-commerce sites,” leading the team to conclude that the operation was employing a botnet-for-hire, a form of Crime-as-a-Service (CaaS).
“The use of a Web Site as a Botnet zombie for hire did not surprise us. After all, this is just a part of a growing trend we’re seeing in our DDoS prevention work,” Atias said.
The analysis also revealed that the backdoor code employed by the botnet was using an application programming interface (API) which took advantage of the website’s PHP, an open source server-side scripting language, to “inject dynamic attack code” which could be altered to counter any adjustments made to the compromised server. They also found that the PHP attack code could replicate itself, allowing the attackers to leverage the full potential of the server in the course of an attack.
“This is just another demonstration of how security in the internet is always determined by the weakest link. Simply neglecting to manage administrative password in a small site in the UK, can be very quickly be exploited by Botnet shepherds operating obscurely out of Turkey to hurl large amounts of traffic at American banks. This is a good example of how we are all just a part of a shared ecosystem where website security should be a shared goal and a shared responsibility,” Atias noted.