Extortion: How attackers double down on threats
Ransomware is one way cybercriminals can pull off an extortion attack, but attackers have a number of other tools in their arsenal to make their campaigns evermore costly for victims.
Cyber extortion definition
In this episode of Cyber Work Applied, Infosec Skills author John Wagnon walks us through a series of attempted extortion attacks against a group of financial institutions — and what we can learn from them.
Extortion: How attackers double down on threats | Free Cyber Work Applied series
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Cyber extortion examples
Below is the edited transcript of John’s cyber extortion walkthrough video.
What is cyber extortion?
(0:00- 0:35) You’ve just been breached or threatened with a cyberattack, and now comes a new demand: pay up or it’s only going to get worse. Extortion threats like these are not new. What is new is that they’ve become the norm rather than the exception for a number of cybercriminal groups.
I’m Infosec Skills author John Wagnon, and in this video, I’m going to walk through how extortion is being adopted by cybercriminals. I’m going to tell you a real-life story about a series of attempted extortion attacks against a group of financial institutions.
Cyber extortion examples
(0:36- 1:27) Cybercrime can be monetized in a variety of ways, but extorting victims directly is often the simplest and most scalable form of attack. Over the past few years, we’ve seen extortion being added to all types of attacks.
Even ransomware actors, which by their nature are extortionists, are now performing double extortion attacks. Pay up to regain access to your encrypted files and do it by a certain date, or we’ll also sell or publicly release all the stolen data.
And it’s not just organizations who are being extorted. Cybercriminals may contact individuals who’ve had sensitive data stolen and pose a similar threat. Pay me a fee, or I’ll release your stolen data to your family, friends and social networks. And when it’s health data, financial data or data from other thought to be private websites, these types of messages can be particularly effective.
DDoS extortion attacks
(1:28- 2:15) Sometimes cybercriminals attempt extortion with the threat of doing something in the future as is the case with some DDoS extortion attacks. Let me tell you about one such case involving a number of financial institutions.
Several financial institutions in the Asia Pacific received notes from an attacker group that was posing as a different, very well-known attacker group. The notes each told these companies to pay money or else they would launch attacks against them, and then they launched attacks — a scaled-down attack at several companies to prove their point.
The companies got very nervous, and some decided to pay while others decided to harden their defenses and stop the attack. Meanwhile, other financial companies who had not yet received these notes also got nervous because they might be next.
DDoS amplification attack example
(2:16- 3:17) The attackers used a botnet to launch amplification attacks against these victim websites. The peak volume was about 50 gigabits per second, which was large enough to consume the resources of these victims’ sites.
So the way that they launched these attacks is they used open DNS, NTP, CLDAP and SSDP and those types of servers on the internet that ride on the UDP protocol or the uniform datagram protocol, which is a connectionless-oriented protocol. That means the sender doesn’t establish a connection with the receiver; rather, the sender just sends the data and hopes that the receiver gets it.
But what this does is it opens the door for attackers to use that underlying protocol to launch DDoS amplification attacks, and in these cases use servers like DNS, NTP, CLDAP and SSDP.
How DDOos amplification works
(3:18- 4:08) What the attackers would do is find these open servers on the internet, and they would send small requests to the servers. They would spoof the sender’s IP address and make it look like the victim sites were the ones that were sending these requests. Then these vulnerable servers would then respond with the responses, but they would respond to the victim websites.
The net effect is that a flood of information hits these victim websites. They never asked for the information to begin with, but that’s the nature of how these attackers launched this attack.
When you have a botnet that has thousands or maybe even millions of computers all sending requests at the same time, and the responses to the request are very large, it saturates the bandwidth of these victim websites, and they just can’t keep up.
How to mitigate DDoS attacks
(4:09- 5:19) The mitigation for this was to block the UDP ports for those specific services at the edge firewalls. Another thing that these attackers use is an HTTPS GET flood. The nature of this portion of the attack was to have the same botnet hit a specific log-on URL and consume the ability for legitimate users to log in to that same URL.
Many companies used security features like rate limiting to limit the number of logons to that specific URL. In rate limiting, you essentially say to the edge security device, “Hey, you can only have this many attempts or users in a certain period of time.” That limits the attackers from being able to exploit that specific URL during a certain period of time.
So as the attack unfolded, the real attacker group found out about all this, and they didn’t like the fact that someone else was launching attacks using their name. So they pointed at the posing attacker group that was doing the attack, and they started attacking them, and they ended up shutting them down and stopping the attack.
Training with Infosec Skills
(5:20- 5:34) So you can see these attacks are serious. It’s important to understand how the attacks work and how you can mitigate them. Check out my Infosec Skills learning path for more information on common attacks and how you can protect against them.
More cybersecurity training resources
Want more free resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free cybersecurity training resources. Check out the latest free courses and resources to keep learning!