Lazarus Bear Armada (LBA) DDoS Extortion Attack Campaign
October 2020 by NETSCOUT
As previously reported, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks in mid-August 2020, largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers. Since then, ASERT has found that healthcare providers, broadband access ISPs, insurance providers, personal care product manufacturers, regional energy providers, and IT-related vendors have also been targeted. These attacks largely follow the original pattern: the attacker initiates a demonstration DDoS attack against selected elements of the targeted organization’s online services/application delivery infrastructure and follows up with an emailed extortion demand for payment via Bitcoin (BTC) cryptocurrency. The extortion demands typically state that the attacker has up to 2 Tbps of DDoS attack capacity at the ready and threatens follow-up attacks if the extortion payments aren’t transmitted to the attacker within a set period of time.
In many cases, when the extortion demands aren’t met, the threatened follow-up attacks do not occur, and the attacker moves on to another target. In some cases, the attacker elects to persist in attacking the targeted organization, including its upstream transit provider(s).
The threat actor responsible for this attack campaign typically claims to be affiliated with well-known, labeled attack groups discussed in industry media. This is done in hopes of bolstering their credibility with the extortion targets. Examples of asserted affiliation include Fancy Bear, Lazarus Group, and Armada Collective—the last being the only one of the claimed identities known to be affiliated with DDoS attack campaigns. Given the propensity of the threat actor for impersonating these threat groups, we have assigned the moniker Lazarus Bear Armada (LBA) to this threat actor.
While many would-be extortionists send out emailed extortion demands under the names of these various groups, most do not follow through with DDoS attacks. The threat actor behind this campaign does in fact actually launch DDoS attacks against the targeted organizations, although threatened follow-up attacks often fail to materialize.
The primary attack vectors observed in this campaign are DNS, ntp, ARMS, WS-DD, SSDP, and CLDAP reflection/amplification; UDP/4500 and UDP/500 flooding; HTTP/S request-flooding; spoofed SYN-flooding; GRE & ESP packet-flooding; TCP ACK-floods; and TCP reflection/amplification attacks. The attacker has also utilized layer-7 http/s request-floods against Web properties. In some cases, the attacker has generated packet floods of generic UDP/4500 and UDP/500 traffic in an attempt to masquerade attack traffic as VPN-related traffic. LBA has also made use of other, infrequently used IPv4 protocols to launch packet-flooding attacks. These tactics are designed to bypass inadequately scoped networked access policies implemented via router access-control lists (ACLs) and/or firewall rules.
Attack volumes observed over the course of this attack campaign have ranged from 50 Gbps to 300 Gbps, and 150 Kpps– 50 Mpps. While the attacker has claimed to have up to 2 Tbps of DDoS attack capacity, no attacks approaching this magnitude have yet occurred.
Both the selection of targeted assets as well as the recipients chosen to receive the attacker’s extortion demands are indicative of pre-attack reconnaissance on the part of the threat actor. In multiple instances, critical yet non-obvious public-facing applications and services were targeted by the attacker. The attacker has also deliberately attacked VPN concentrators, presumably identified via DNS analytics, in order to attempt disruption of the targeted organizations’ mission-critical remote access capability.
During extended attacks that include targeting of an organization’s upstream transit ISP(s), the attacker has apparently used basic network diagnostic techniques such as running multiple traceroutes in an attempt to identify routers and/or layer-3 switches within the transit ISP network. These network infrastructure devices are subsequently targeted by the attacker.
ASERT continues to see the threat actor in question exercise significant due diligence in identifying email mailboxes that are likely to be actively monitored by targeted organizations. This differs from most such attacks, in which emailed DDoS extortion demands are never viewed by their intended targets due to poor email address selection on the part of the attacker.
In line with observed norms, the observed collateral impact of these DDoS attacks can be disproportionately high. In some cases, attacks against the upstream transit ISPs supplying internet connectivity to targeted organizations has resulted in significant disruption of bystander traffic traversing the networks of those transit operators.
As is the case with most DDoS attacks, targeted organizations that have adequately prepared in advance to defend their public-facing internet properties and related infrastructure have experienced little or no significant negative impact related this DDoS extortion campaign.
While the threat actor in question has demonstrated a degree of acuity and willingness to engage in diligent pre-attack reconnaissance, the DDoS attack vectors and targeting techniques employed in this attack campaign to date are well-known and can be mitigated via standard DDoS countermeasures/protections.
Due to the relatively high visibility of this attack campaign—largely resulting from the deliberate selection of targets within and adjacent to the heavily regulated financial sector rather any uniqueness of the attacks themselves or differentiation from the common run of DDoS extortion attempts—it is assumed that international law enforcement and intelligence community resources are likely to be brought to bear in aid of efforts to identify and apprehend those responsible.
Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.
Critical supporting ancillary services such as authoritative DNS should also be designed, deployed, and operated in a manner consistent with all relevant BCPs. DNS resource records (RRs) for VPN concentrators that contain the string ‘vpn’ should be renamed in order to obfuscate their functionality, and existing VPN concentrators that had ‘vpn’ as part of the relevant RR records should be re-IPed.
DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Both organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.
It is imperative that organizations operating mission-critical public-facing Internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack, and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.
Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or ATAC may be consulted with regards to optimal countermeasure selection and employment.
Organizations should familiarize themselves with the particulars of previous high-profile DDoS extortion campaigns, with a special emphasis on the ‘DD4BC’ series of attacks launched between 2014–2016. There are a multiple points of correspondence between the modus operandi of the DD4BC threat actor and that of the threat actor responsible for this DDoS extortion campaign.