Thought leadership. Threat analysis. Cybersecurity news and alerts.
DDoS Attackers Target VoIP Providers
Over the past few weeks, Voice over Internet Protocol (VoIP) providers have been targeted by distributed denial-of-service (DDoS) attackers.
DDoS is a form of cyberattack that often uses a botnet to attack one target. A botnet is a group of infected computers, including Internet of Things (IoT), and controlled by attackers for malicious activities such as DDoS attacks.
VoIP, meanwhile, refers to a technology that allows voice calls over an Internet connection instead of the traditional analog phone line. As VoIP uses the Internet and requires servers, portals, and gateways to be publicly accessible, this technology is a prime target of DDoS attackers.
In DDoS attacks against VoIP providers, attackers will flood VoIP servers, portals, and gateways with requests, making VoIP services unavailable to legitimate users.
Recent Attacks Against VoIP Providers
On August 31, 2021, London-based Voipfone disclosed that it was under DDoS attack.
"We have identified a further DDoS attack, we will post updates as the situation develops,” Voipfone said in a statement. “Our team is working extremely hard to address the ongoing issues that are currently affecting our network. We sincerely apologize for the disruption this must be causing you, and fully understand how frustrating this must be.”
A week after the intermittent DDoS attacks, Voipfone said it has fully resolved the DDoS attacks.
On September 16, 2021, Montreal-based VoIP.ms became the victim of a DDoS attack. On its website, VoIP.ms said it serves 80,000 customers in 125 countries.
“We have identified a large-scale Distributed Denial of Service (DDoS) attack which has been directed at our DNS and POPs,” VoIP.ms said in a statement posted on its website. “Our team is deploying continuous efforts to profile incoming attacks and mitigate them as best they can. We apologize for the inconvenience caused and thank you for your patience while we work on resolving the issue.”
The DDoS attack against VoIP.ms targeted the company’s DNS name servers. In the absence of DNS, VoIP.ms advised customers to configure their HOSTS file to point the domain at their IP address to bypass DNS resolution. In response, the attackers launched DDoS attacks directly at that IP address. To mitigate the DDoS attacks, VoIP.ms moved their website and DNS servers to Cloudflare.
As of September 28th, VoIP.ms said on its Twitter account that it’s advancing towards a more stable and secure network. The company, however, said that its main US carrier is still experiencing issues in their network which is impacting their clients all across North America.
On September 28, 2021, another VOIP provider admitted that it’s under DDoS attack. “Bandwidth and a number of critical communications service providers have been targeted by a rolling DDoS attack,” Bandwidth CEO David Morken, in a statement, said. “While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry.”
North Carolina-based Bandwidth said on its website that it provides local VoIP phone numbers together with outbound and inbound calling, powering popular platforms including Microsoft Teams/Skype for Business, Zoom Phone, and Google Voice. Bandwidth also serves as an upstream provider for VoIP vendors such as Accent.
“The upstream provider continues to acknowledge the DDoS attack is impacting their network and they are actively working to mitigate its effects,” Accent said in a statement. “Accent is seeing a limited impact to inbound calling for our services for certain phone numbers. We will continue to monitor the situation and update the status as appropriate.”
Ransom DDoS Attacks
A threat actor using the name “REvil” claimed responsibility in the VoIP.ms DDoS attack. The ransom note to VoIP.ms was posted on Pastebin. This ransom note has since been removed from Pastebin. REvil also posted updates about VoIP.ms DDoS attack on Twitter. These updates have since been removed from Twitter.
REvil demanded one bitcoin from VoIP.ms. After a failed negotiation, REvil raised the ransom demand to 100 bitcoins.
REvil originally refers to a threat group behind a number of high-profile ransomware attacks. On July 13, 2021, this group stopped its operation. In September 2021, the group resumed its ransomware operations. The original REvil group, however, hasn’t been known to launch DDoS attacks and publicly demanding ransom out of DDoS attacks.
To date, there’s no report of whether Voipfone and Bandwidth received a ransom demand similar to the one received by VoIP.ms.
Ransom DDoS (DDoS) attacks have been around for years. RDDoS attack occurs when a malicious actor extorts money from a target by threatening the target with a DDoS attack.
Threat actors may carry out a DDoS attack first and then followed by a ransom note. Another approach by threat actors is giving the ransom note first and then followed by a DDoS attack. In the last approach, the ransom note may be an empty threat with the threat actor not really capable of launching an actual DDoS attack. However, there’s a possibility that the DDoS threat is a real thing.
Paying the ransom gives ransom DDoS victims false hope that the attack will stop. Paying the ransom can only make your organization the subject of future DDoS attacks as the attackers know that your organization is willing to pay ransom.
What Is Phishing-As-A-Service and How to Protect Your Organization
Microsoft 365 Defender Threat Intelligence Team recently published their findings on a large-scale phishing-as-a-service operation called “BulletProofLink.”
What Is Phishing-as-a-Service?
Phishing-as-a-service follows the software-as-a-service model in which cybercriminals pay an operator to launch an email-based phishing campaign.
In an email-based phishing campaign, the target receives an email from a seemingly legitimate origin. The email, however, is a malicious one, masquerading as coming from a legitimate source. Clicking a link on this malicious email will lead to a compromised or fake website. The login details entered by the target who believes he or she is logging into a legitimate website will then be harvested for criminal activities.
BulletProofLink, also known as BulletProftLink and Anthrax, is an example of a phishing-as-a-service. This phishing-as-a-service was first reported by OSINT Fans in October 2020. According to OSINT Fans, the phishing campaign launched by BulletProofLink started with a phishing email impersonating a Sydney-based accounting firm. The email looked legitimate, with no sign of broken English or a spoofed email sender.
Inside this email is the Remittance Advice receipts.pdf link. Clinking this link, OSINT Fans said, leads to a pixel-perfect clone of the Microsoft 365 login page. “If a victim enters their password on this page, the login credentials are sent straight to the criminals rather than Microsoft,” OSINT Fans said.
In the blog post “Catching the big fish: Analyzing a large-scale phishing-as-a-service operation,” Microsoft 365 Defender Threat Intelligence Team said BulletProofLink offers phishing-as-a-service at a relatively low cost, offering a wide range of services, including email templates, site templates, email delivery, site hosting, credential theft, credential redistribution, and "fully undetected" links/logs.
Microsoft 365 Defender Threat Intelligence Team said BulletProofLink has over 100 available phishing templates that mimic known brands and services. The BulletProofLink operation, the Team said, is responsible for many of the phishing campaigns that impact enterprises today.
The Team also reported that BulletProofLink used a rather high volume of newly created and unique subdomains – over 300,000 in a single run. The Team added that BulletProofLink is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for BulletProofLink’s operators.
BulletProofLink’s monthly service costs as much as $800, while the one-time hosting link costs about $50 dollars. The common mode of payment is Bitcoin.
Infinite Subdomain Abuse
According to Microsoft 365 Defender Threat Intelligence Team, the operators behind BulletProofLink use the technique, which the Team calls “infinite subdomain abuse.” The Team said infinite subdomain abuse happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains.
Microsoft 365 Defender Threat Intelligence Team said infinite subdomain abuse is gaining popularity among attackers for the following reasons:
“It serves as a departure from previous techniques that involved hackers obtaining large sets of single-use domains. To leverage infinite subdomains for use in email links that serve to redirect to a smaller set of final landing pages, the attackers then only need to compromise the DNS of the site, and not the site itself.
“It allows phishing operators to maximize the unique domains they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email.
“The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.”
Microsoft 365 Defender Threat Intelligence Team said that BulletProofLink's phishing-as-a-service is reminiscent of the ransomware-as-a-service model. Today’s ransomware attacks involve, not just data encryption, but exfiltrating or stealing data as well. In a ransomware-as-a-service scenario, the ransomware operator doesn’t necessarily delete the stolen data even if the ransom has already been paid.
In both ransomware and phishing, Microsoft 365 Defender Threat Intelligence Team said that operators supplying resources to facilitate attacks maximize monetization by assuring stolen data are put to use in as many ways as possible. Victims’ credentials, the Team said, are likely to end up in the underground economy. “For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes,” Microsoft 365 Defender Threat Intelligence Team said.
Cybersecurity Best Practices
To protect Microsoft 365 users from phishing-as-a-service operations, Microsoft 365 Defender Threat Intelligence Team recommends the following cybersecurity best practices:
What we Learned from the Biggest DDoS Attack to Date: 22 Million Requests Per Second
Russian internet giant Yandex recently announced that it was hit by a record-breaking distributed denial-of-service (DDoS) attack.
“Our experts did manage to repel a record attack of nearly 22 million requests per second,” Yandex said in a statement. “This is the biggest known attack in the history of the internet.”
In the blog post “Mēris botnet, climbing to the record,” DDoS mitigation service Qrator Lab reported that from August 7 to September 5 of this year, it recorded 5 DDoS attacks at Yandex from a botnet dubbed as "Mēris," which means "Plague" in the Latvian language. The five DDoS attacks at Yandex, Qrator Lab said, started from 5.2 million requests per second (RPS) and culminated at 21.8 million RPS.
In a DDoS attack, multiple internet-connected computers are operating as one to attack a particular target. In launching a DDoS attack, attackers often use a botnet – a group of hijacked internet-connected computers and controlled by attackers to conduct malicious activities such as DDoS attacks.
In a DDoS attack, the hijacked internet-connected computers are also attacked victims. The use of hijacked internet-connected computers results in exponentially increasing the attack power via voluminous requests sent to the target, and resulting in the initial hiding of the true source of the attack.
According to Qrator Lab, the number of infected internet-connected computers reached 250,000, and these infected internet-connected computers or devices come from only one manufacturer: Mikrotik, a Latvian network equipment manufacturer.
Qrator Lab added that the Mēris botnet used the HTTP pipelining technique in launching the DDoS attacks. “Requests pipelining (in HTTP 1.1) is the primary source of trouble for anyone who meets that particular botnet,” Qrator Lab said. “Because of the request pipelining technique, attackers could squeeze much more RPS than botnets usually do. It happened because traditional mitigation measures would, of course, block the source IP. However, some requests (about 10-20) left in the buffers are processed even after the IP is blocked.”
Based on the botnet’s attacking sources (IP addresses), Qrator Lab said that 10.9% came from Brazil, 10.9% from Indonesia, 5.9% from India, 5.2% from Bangladesh, 3.6 from Russia, and 3.3% from the United States.
In the last couple of weeks, Qrator Lab said that it has observed devastating DDoS attacks towards New Zealand, United States and Russia, which is attributed to the Mēris botnet species. “Now it can overwhelm almost any infrastructure, including some highly robust networks,” Qrator Lab said. “All this is due to the enormous RPS power that it brings along.”
Prior to the DDoS attack at Yandex, the record-breaking DDoS attack was launched by a powerful botnet, targeting a Cloudflare customer in the financial industry. The attack reached 17.2 million requests per second.
According to Cloudflare, the said DDoS attack came from more than 20,000 bots in 125 countries around the world. Based on the botnet’s attacking sources (IP addresses), almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined.
Cloudflare said the attack was launched via a Mirai botnet. The botnet Mirai, which means “future” in Japanese, was first discovered in 2016. The Mirai botnet infects Linux-operated devices such as security cameras and routers. This botnet infects Linux-operated devices such as security cameras and routers by brute forcing known credentials such as factory default usernames and passwords. Succeeding variants of the Mirai botnet took advantage of zero-day exploits.
According to Qrator Lab researchers, they haven’t seen the malicious code, and as such, they aren’t ready to tell yet if it’s somehow related to the Mirai botnet family or not.
Preventative measures against DDoS attacks
In order to prevent your organization’s internet-connected computers or devices from being hijacked as part of a botnet, it’s important to follow these cybersecurity best practices:
According to MikroTik, Mēris botnet compromised the same routers that were compromised in 2018 via a known security vulnerability that was quickly patched. The 2018 vulnerability that was referred to is CVE-2018-14847, a MikroTik RouterOS security vulnerability that allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
“Unfortunately, closing the vulnerability does not immediately protect these routers,” MikroTik said. “If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.”
DDoS attacks, even volumetric attacks, can now be prevented autonomously, without human intervention.
Steve E. Driz, I.S.P., ITCP