Study - Technical - LMS-SFC (EN) - Cyber Security - Medow
Medow SoFt HD Opinion - Cyber Security
Romania
under Combined cyber attack (02.05.2022)
Description of events
It all starts with a
DNSC – National Directorate of Cyber Security Romanian
(on their website dnsc.ro) in which it is announced that
a DDoS (Distributed Denial of Service) attack has
affected the websites of several public institutions
(The Government of Romania – gov.ro, the Ministry of
Defense – mapn.ro, the Border Police –
politiadefrontiera.ro, the Romanian Railways –
cfrcalatori.ro) and private (banking) organizations in
Romania.
This attack, at first
perception, aimed at affecting the online availability
of these institutions/organizations by overloading the
servers that were going to have functionality
deficiencies or even blocking them and the lack of
functionality.
According to the main
intelligence service in Romania (SRI), the DDoS attack
started at 4:00 AM local time and came from network
equipment compromised by exploiting cyber security
vulnerabilities, respectively the lack of cyber security
measures from abroad (according to the expertise of the
National Cyberint Center within the SRI) around 11:00,
things apparently returning to normal.
The attack targeted web
applications (OSI level 7, Application Layer, the
hardest level to defend) and was not particularly
powerful.
The cyberattack was
claimed by the pro-Russian eastern group KILLNET
(through a Telegram channel – social media platform)
which launched cyber-attacks also on the websites of
institutions in states such as the USA, Germany,
Estonia, Poland, the Czech Republic, but also on NATO
websites, and, obviously, Ukraine (announcement made as
early as 28.04.2022 by CERT-AU – Computer Emergency
Response Team Ukraine).
The justification for the attacks is given by the support of the affected countries granted to Ukraine in the military conflict with the Russian Federation, indicating for Romania (but also other entities from other states) some political statements or a strong position in favor of Ukraine.
The justification for the attacks is given by the support of the affected countries granted to Ukraine in the military conflict with the Russian Federation, indicating for Romania (but also other entities from other states) some political statements or a strong position in favor of Ukraine.
In March, a similar
DDoS campaign was conducted using the same script, but
against a smaller set of pro-Ukrainian websites, as well
as against Russian targets, without having claimed the
attack by anyone.
So, a malicious script
that compromises WordPress sites is used that uses
visitors' browsers to carry out DDoS attacks.
These websites included Ukrainian government agencies,
think tanks, recruitment sites for the International
Defense Legion of Ukraine, financial sites, and other
pro-Ukrainian websites.
The code of that time,
JavaScript (tracked as BrownFlood), when it was loaded,
forced the visitor's browser to make HTTP GET requests
to a list of sites listed in the script, without forcing
more than 1,000 simultaneous connections. Thus,
DDoS attacks run in the background without the user
noticing anything other than a slowdown in the working
speed of his browser.
Moreover, each request
to the websites targeted uses a random query string, so
that the request is not served through a cache storage
service, and avoids detection and cataloging/blocking,
being received directly by the attacked server.
Avast detected the same
script on compromised websites as early as March 7.
And, in its further
evolution, on 30.04.2022, the DDoS attack caused the
fall of the DNSC website that announced on 01.05.2022
the continuation of the cyber attacks of the Killnet
group. Also now, there has been a diversification
of attacks using new methods aimed at infecting with
ransomware malware applications the computer systems of
organizations already attacked by DDoS, the techniques
used by attackers include spear-phishing and spoofing.
Cyber attackers send
messages via email, WhatsApp, Signal, Telegram,
Messenger, Slack, etc. tricking potential victims into
carrying out actions that allow taking control of
computer devices. To increase the effect of
misleading and tricking victims, attackers also intend
to use spoofed email addresses or user accounts as
belonging to public institutions or known organizations.
Detection
In the case of phishing
and spear-phishing, social engineering techniques are
majorly improved and statistics confirm that many
victims fall on these techniques. That is why for most
people there are only a few recommendations (the real,
cyber measures will be presented in the following
material): phishing and spear-phishing appear as an
urgent requests emails, even from the authorities, are
strangely formulated, even with errors of expression,
and appear as coming from a source or "trusted"
person, includes links or attachments that have not been
requested, requires the provision of login data,
credentials of accounts, etc.
In the case of
detecting sources of DoS, and DDoS, din technically
detection is quite possible, there is the possibility of
informing the owners of the sites that have become
botnets (compromised) that become part of the attack,
registrars, and providers of website hosting services.
There are even instructions on how to detect and remove
JavaScript from these sites.
But in general, traffic
analysis tools can reveal signs such as suspicious
amounts of traffic coming from a single IP address or IP
range, a flow of traffic from users who share a single
behavioral profile, such as device type, geographical
location, or web browser version, an unexplained
increase in requests to a single page or endpoint,
strange traffic patterns such as peaks at odd times of
the day, or patterns that appear to be unnatural (for
example, an increase every 10 minutes), and others
(there are other signs but these vary depending on the
attack).
Prevention and response
There are no solutions
to completely avoid a DoS, DDoS attack, but there are
some proactive solutions that network administrators can
deploy to reduce the effects of such an attack:
implementation of a DoS protection service, DDoS (which
detects abnormal traffic and redirects it), making a
disaster plan to ensure the effectiveness of
communication, improvement, and recovery in the context
of a DDoS attack (?!?).
An example would be:
"To detect the similarly mentioned abnormal activity in
the web server log files, you should pay attention to
the events with the response code 404 and, if they are
abnormal, correlate them with the values of the HTTP
Referrer header, which will contain the address of the
web resource where a request was initiated."
But how many owners of
such compromised sites will be able to do that?!?
Question for materials that will be later, a little
later.
However, there is the
possibility, even the recommendation that when a DoS
attack is suspected, DDoS should contact experts to
provide assistance, such as the network administrator or
representatives of the Internet service provider.
In the event of an
attack, it is important to monitor all services or
assets within the organization's network because certain
attackers can launch DDoS attacks to distract attention
from their real target, using the opportunity to carry
out secondary attacks at the level of other services of
the organization.
In addition, there is a
possibility that actors will threaten to launch DDoS
attacks on a target and require financial resources to
stop malicious actions, in this situation it is
recommended that organizations do not respond to
blackmail messages and refuse to make the payment.
Responsibility for
ensuring the primary cybersecurity of affected
infrastructures to affected institutions, and
organizations. For example, the affected sites are
not part of the National System for the Protection of
IT&C Infrastructures of national interest against
threats from cyberspace (ȚIȚEICA) managed by the SRI
through the CYBERINT National Center.
The CYBERINT National
Center within the SRI, together with the DNSC, actively
collaborated with the entities responsible for
investigating cyber-attacks and remedying their effects.
DNSC published more
information about the attacks and the IP addresses
involved, the publication being part of the standard
procedure established by the Directorate for Monitoring
and Identification of ICT Resources involved in cyber
attacks in the context of the Russia - Ukraine military
conflict.
At the same time, some
documentary materials have been indicated to help limit
the attack and the subsequent recovery such as
compromise indicators and some guides such as the
"Cybersecurity Guide"/ "Cybersecurity Guide" along with
indications regarding the access to the other guidelines
made by DNSC.
We will continue...
Sources:
Recommendations for managing DDoS attacks – 02.05.2022
Press release: Phishing and spear-phishing attacks propagated on email or messaging platforms – 01.05.2022
The pro-Russian group Killnet launched DDoS attacks on the websites of the Romanian government – 30.04.2022
Press release: DDoS attacks against public and private websites in Romania – 29.04.2022
Russian hacktivists launch DDoS attacks on Romanian government websites – 29.04.2022
Cyber-attacks on the websites of some public and financial-banking institutions – 29.04.2022
Ukraine targeted by DDoS attacks from compromised WordPress sites – 28.04.2022
Pirated WordPress sites force visitors to Ukrainian DDoS targets – 28.03.2022
What is a DDoS attack? –
What is the internet of things? –
We will continue...
Sources:
Recommendations for managing DDoS attacks – 02.05.2022
Press release: Phishing and spear-phishing attacks propagated on email or messaging platforms – 01.05.2022
The pro-Russian group Killnet launched DDoS attacks on the websites of the Romanian government – 30.04.2022
Press release: DDoS attacks against public and private websites in Romania – 29.04.2022
Russian hacktivists launch DDoS attacks on Romanian government websites – 29.04.2022
Cyber-attacks on the websites of some public and financial-banking institutions – 29.04.2022
Ukraine targeted by DDoS attacks from compromised WordPress sites – 28.04.2022
Pirated WordPress sites force visitors to Ukrainian DDoS targets – 28.03.2022
What is a DDoS attack? –
What is the internet of things? –
Archive:
Click here to access CMS (Content Management System) in Joomla.
Source:
Note Dorin M.
This site has a
double form, one in HTML and one in Joomla (if you
are interested in the utility behind this effort you
can read the "Why
a HTML and a CMS (Joomla)" page).
That's why I suggest you, depending on your desire, to use the HTML form for simple browsing / information or the Joomla form if you want in-depth studies / searches using the CMS search engine.
That's why I suggest you, depending on your desire, to use the HTML form for simple browsing / information or the Joomla form if you want in-depth studies / searches using the CMS search engine.
Dorin M - May 01,
2022