sign in sign up
<<
Home , 2016 Dyn cyberattack, BrickerBot, Carbanak, Chaos Computer Club, Dridex, Emotet

A FIELD GUIDE to Understanding the Tactics, Techniques and Attack Vectors Used by Cybercriminals TABLE OF CONTENTS

INTRODUCTION: THE EVOLVING THREAT LANDSCAPE...... 1

1.0 CYBERTHREATS 1.1 ...... 2 1.2 CONSUMER TOOLS...... 5 1.3 DEFACEMENTS...... 8 1.4 EXPLOIT KITS...... 11 1.5 ...... 13 1.6 TROJANS...... 15

2.0 THREAT ACTORS 2.1 ADVANCED PERSISTENT THREAT (APT)...... 18 2.2 DENIAL-OF-SERVICE (DOS) GROUPS...... 21 2.3 HACKTIVISTS...... 23 2.4 INSIDERS...... 26 2.5 ORGANIZED ...... 28 2.6 PATRIOTIC ...... 31 2.7 RANSOM DENIAL OF SERVICE (RDOS)...... 34

3.0 CYBERSECURITY FORECAST...... 36

4.0 PROACTIVE MEASURES ...... 38

5.0 GLOSSARY...... 39 INTRODUCTION: The Evolving Threat Landscape

CHANGE IS ONE OF THE FEW CONSTANTS IN LIFE, AND CYBERSECURITY IS NO EXCEPTION TO THIS RULE.

The threat landscape is as diverse as it is sophisticated, thanks largely to the fact that the skills and tools behind launching have become commoditized. Dark web marketplaces, the increased availability of online attack tools, open-source botnets … they have all combined to provide cybercriminals with a plethora of user-friendly and highly scalable attack vectors and services. As a result, hackers and cybercriminals have reached a level of maturity and efficiency unsurpassed in the history of , resulting in a dramatic increase in attack frequency, complexity and size.

Although these threats constitute a clear and present danger to organizations worldwide, knowledge is power. Radware’s ’s Almanac assists security experts with understanding the threat landscape and generating awareness about current tactics, techniques and procedures used by today’s cybercriminals. It is divided into three sections and covers tools and tactics, threat actors and cybersecurity predictions.

Understanding these threats and techniques to mitigate them is the first step in preparing your security team and implementing the correct policies and systems. Before securing your network, be sure to conduct an audit of your organization’s network and understand its vulnerabilities/weaknesses. Then leverage this almanac to study the threats posed against your organization. 1.1 PAGE 2 RADWARE HACKER’S ALMANAC Botnets traffic coming from IoTfrom coming traffic devices. operator,network take steps tomalicious filter If you a are closed. ports have unnecessary all patched and and that updated they are ensure should IoT install network who their on devices However, Users solution. the also is victim the it’s expected that this problem will worsen. lack of regulation surrounding these devices, of IoTbotnet. expansion the With the and to amassive build possible as devices IoT to many as aim groups infect These CYBERTHREATS TRADITIONAL PC-BASEDTRADITIONAL BOTNETS TO IOT-BASED BOTNETS. FROM ASHIFT SHOWN HAS YEARS RECENT IN DATA ACTIVITY THEFT. AND MAIL SPAM ATTACKS, DDOS AS SUCH ACTIVITIES MALICIOUS PERFORM TO COMMANDS CHAT (IRC), ISSUING RELAY AN AS SUCH CHANNEL, ACOVERT OF MEANS BY MACHINES THE CONTROL AN ATTACKER CONTROL. OWNERS, COMPLETE OR “HERDERS,” ALLOWS THAT WITH INFECTED “ZOMBIES,” AS TO REFERRED A IS BOTNET A OF OFTEN COLLECTION COMPUTERS, COMPROMISED so service is not is interrupted. service so pass, to traffic user legitimate only allows and traffic network protection that scrubs attack cloud-based mitigation solution for volumetric a require will 1Tbps. victims cases, most In at over networks flood for days and last can botnet attacks as expert, aDDoS with consult of abotnetIf attack, you avictim are Botnets NECURS remotely controlled “bots” that can be used as part of large-scale botnet network attacks. The Mirai Mirai The attacks. network botnet of large-scale part as used be can “bots” that controlled remotely DVRs, into and cameras IP as such , running devices network turns that amalware is Mirai C&C servers. the and bots the between solutions.and security Necurs also uses domain generation algorithms to switch meeting points firewalls disable can that feature kernel-mode asophisticated about speculation is There distributors. malware other with collaborate or type to distribution the adapt and agile to remain it enabling architecture a modular day. possesses per Necurs ransomware GlobeImposter and distributing emails of 47 Necurs average an million stopped researchers season, holiday 2017 the Through . and , countries: three in concentrated were addresses IP the of Half countries. 200 over in addresses IP 1.2 distinct almost from million sent emails found and campaigns spam 2017, 32 distinct November and analyzed August Between researchers security like Locky. ransomware as well as Trickbot Dridec, as and Trojans 2016, such banking throughout active 2017 delivering observed 2018. and been has Necurs was botnet sinister The . wallet and schemes work-from-home scams, stock pump-and-dump spam, dating malware, banking of ransomware, amounts massive emailing for responsible was history, in Necurs botnets spam longest-running and largest of the one As protect vulnerable devices () or purge the internet of them (BrickerBot). of them internet the purge or (Hajime) devices vulnerable protect to try that botnets to vigilante birth IoT given has It target exclusively devices. that botnets new for and exploit more IoT vulnerabilities. Mirai exposed the IoT problem security and paved the road to have adapted scan branches Newer botnets. most for basis the now is code source Mirai The to discovered. being numerous spinoffs leading public, made was code source Mirai the month, that Later attack. the during leveraged 2016. September OVH in 2016, and October In Krebs on was Waterattacks aDNS Torture attack the during generated were volumes traffic DDoS Record-breaking credentials. CLI manufacturer of 61 default consisting adictionary Telnet using via Force Brute infected were Devices traffic or recursive DNS queries. of GRE into legitimacy the to visibility comes it when face organizations challenges the highlights also TCP Water Mirai STOMP Floods, Torture and GRE attacks. as such attacks sophisticated highly include vectors attack These systems. mitigation DDoS their by attacking infrastructure scrubbers’ cloud and providers’ service down taking effectively some vectors, attack 10 predefined of selection a features botnet of in Mirai excess the 1Tbps, volumes traffic to generating addition In 2016 October the OVH and . host web Dyn French on Krebs’s attack an website, Brian journalist security 2016 computer aSeptember against attack including attacks, DDoS disruptive most and largest of the some in used 2016been in August since found has and first was botnet

PAGE 3 RADWARE HACKER’S ALMANAC PAGE 4 RADWARE HACKER’S ALMANAC WIREX BRICKERBOT HTTP GET request attacks. attacks. request GET HTTP 7 Layer performing primarily 100 countries, across IPs 70,000 than distinct more from originated attacks the that estimated Researchers devices. infected those from attacks DDoS massive to conduct leveraged were malware WireX the with infected apps These managers. storage for the Play in found apps of malicious hundreds via smartphones 100,000 over to Android have infected found botnet was The traffic. network its observed 2017 August in uncovered researchers when was and tablets and cellphones as such devices mobile targeted that abotnet was WireX multiple ISPs across geographies. different affected 2017, and of routers During state internet. of the millions bricked allegedly BrickerBot Janit0r wrote several white papers on his Internet Chemotherapy project, describing the deplorable BrickerBot modules, including hundreds of vulnerabilities categorized by device, class and vendor. 2017 of his some November in “retirement” published his and announced Janit0r by Radware. 2017April in discovered Chemotherapy.” first was “Internet BrickerBot project this calls Janit0r The attention. generating not thereby place, takes scanning No devices. infected attacks only and sentinels, and bots including sensors, detection of anetwork uses It machine. onto victim the loaded is malware —no sequence destructive a using remote execution via attacks of abotnet. BrickerBot part IoT becoming from devices IoT to vulnerable prevent of malicious devices internet the to is purge objective BrickerBot’s botnet. PDoS autonomous first the was Janit0r, as BrickerBot known by hacker the Authored prevalentincreasingly in 2017. became of cyberattack form this attack, (PDoS) denial-of-service apermanent as Coined functioning. victim’s the from to hardware render designed attack bot aquick-pace Imagine servers, network switches and IoT and switches devices. network servers, PREFERRED TARGETS: cryptomining. or ad attacks, (DoS) denial-of-service botnet for the leveraging by profits attacker the to IoT an compromised, computer Once device. apersonal from anything compromise MODUS OPERANDI: ™ store, many of which purported to be media/video players, ringtones or tools tools or ringtones players, to media/video be purported store, of which many Default credentials and known device exploits are primary ways to primary are exploits device known and credentials Default Currently, the preferred targets for bot herders are insecure cloud cloud insecure are herders bot for targets Currently, preferred the

1.2 targeting their networks. their targeting behavior attack the toand understand products toused test improve security and are that services the they claim stressers, With damage. reduce or prevent infections to potential intentionthe risks to highlight is projects these for justification the Often BE PUBLICLY AVAILABLE. SHOULD THEY IF WONDER MANY AND COMMUNITY, SECURITY THE IN DEBATE INTERNATIONAL AN OFF SET HAVE PROJECTS THESE EDUCATIONAL. STRICTLY BEING OF PRETENSE THE UNDER PUBLISHED ADMINISTRATION TROJANS (RATS) AND RANSOMWARE HAVE BEEN REMOTE STRESSERS, AS SUCH TOOLS YEARS, FEW LAST THE OVER Tools Consumer CYBERTHREATS

other software. malicious asystem RATs with infect they can so and discover and exploit network vulnerabilities, to penetration-testing Linux tools like Kali use will month. criminals addition, In per $8 as little as paid someone for which service of arented abotnet stresser or a victim likely you also are attack, of aDoS victim If you a are campaigns. of depth the these given high is miners by targeted coin being of tools, organization your risk the cyberattack available commonly of most the some As

PAGE 5 RADWARE HACKER’S ALMANAC PAGE 6 RADWARE HACKER’S ALMANAC DEFCON.PRO COIN MINER network load is below 50%. below is load network the 8–12Gbps if an vector attack offers DNS 17 and from attacks servers 42 concurrent launching of capability vector. the has it new attack that states a Defcon.pro offer and market to first are that those for especially services, select for profitable be can industry DDoS-as-a-service The attacks. 11,260 2018, had it that of March 2,107,817As reported launched Defcon.pro had and customers 2017. of September as 7,700 had At time, Defcon.pro the 117,000 servers. pro launched had and customers attacks DDoS to Defcon. calls upstream made all who 331 had TrueStresser customers Defcon.pro’s service. API of out abusiness created had TrueStresser that of TrueStresser,content reported was it and leaked the discovered Farmer 2017 in Derrick attention media researcher when gained Defcon.pro attack. a200-second for version trial $3 a offer also They attacks. unlimited offer and month to per $8 $45 from range Packages services. stresser own their run can others so access, API offers also that service astresser is Defcon.pro exploit. EternalBlue the via miner aMonero with devices infects and spreads which Smominru, and devices, Android targets ADB.miner, which include Examples ransomware. overthrown and year, erupted last has the trend Over this purposes. cryptomining for device unauthorized an of infecting process the is ledger. Cryptojacking toit respected its adds and transaction digital a verifies device aconnected when happens mining cryptocurrency Typically, purposes. malicious for used are CoinHive as such services legitimate, are software this of uses certain Although software. mining to to refer cryptocurrency used aterm is miner Coin RAT KALI LINUX KALI has been the of choice for many hackers. many for of choice system operating the been has Linux Kali years, recent In mobile. to platform the make drive onto athumb Linux Kali load easily can criminals because threat aserious is Linux Kali with user Arogue vulnerabilities. network “test” to users for tools providing install, alive on or alone run can system operating This tools. reporting spoofing, attacks,maintaining access, reverseengineering,hardware and hacking and sniffing testing, stress tools, forensics tools, exploitation applications, web attacks, wireless with hundreds of tools classified by the following topics: information gathering,analysis, vulnerability preloaded is Linux Kali systems. to infect by hackers abused and downloaded often is Linux Kali aresult, As professionals. by security used system operating available widely and afree is Linux Kali like GitHub. websites on free for found also are but marketplaces web dark RATs and information. forums on sold often personal are to access keyloggers install as well as attacks DoS launch or spam to send device the use can attackers The infection. the spread and systems control to device, the RAT, the with connect infected remotely can attacker an Once kit. exploit an via delivered payload Trojan amalicious is (RAT) A remote administration

PAGE 7 RADWARE HACKER’S ALMANAC 1.3 PAGE 8 RADWARE HACKER’S ALMANAC Defacements services is also effective. effective. also is services web systems or management content updating but to attacks, prevent these waybest are the firewalls Web application negligence. operator to due network typically is it defaced, are websites major When to automate attacks. their software basic using unskilled, typically are groups These CYBERTHREATS LEVERAGE DEFACEMENTS.LEVERAGE OFTEN GROUPS HACKTIVIST HACKER. THE FROM STATEMENT RIVALRY OR POLITICAL OF TYPE SOME CONTAIN TYPICALLY AND DIGITAL CONSIDERED ARE DEFACEMENTS OWN. HACKER’S THE WITH CONTENT WEBSITE CURRENT THE REPLACING AND SERVER WEB A INTO BREAKING BY WEBSITE THE OF APPEARANCE VISUAL THE MANIPULATE TO HACKER THE ALLOWS THAT INJECTION SQL ATTACK OR EXECUTION CODE AREMOTE TO REFERS TYPICALLY A DEFACEMENT

attacks retroactively via social media. media. social via retroactively attacks Youdomain. for such monitor also can to apage add your typically will ahacker as administrators to look for malicious activity, network alert and systemyour immediately update and campaign, defacement of that a If you you target the think are

Defacements GIANT’S-PS ELECTRONIC THUNDERBOLT TEAM ERR0R SQUAD religious content and geopolitical events. contain often Its messages Palestinians. of the behalf on campaigns defacement with websites and businesses Israeli targets currently that location unknown an from of hackers a group Giant’s-PS is operation. to related their amessage to sites post unprotected and small of anumber target often will Members OpIsrael. as such events to related political campaigns ment deface in specializes that East Middle the from Team of hackers agroup is Thunderbolt Electronic join. will others so victims their against methods attack YouTube post Attackers to how messages. of its on utilize awareness videos to spread campaigns defacement large-scale out carry and systems management content to target known is group The abuse. application web in specializes that hackers of Bangladeshi agroup is SquaD Err0r -

PAGE 9 RADWARE HACKER’S ALMANAC PAGE 10 RADWARE HACKER’S ALMANAC ANONPLUS often use a defacement to spread a political message. They will often look for the most popular popular most the for look often will They message. apolitical to spread adefacement use often PREFERRED TARGETS: injections. SQL or attacks execution code MODUS OPERANDI: server. aDrupal on injection to remote code lead may exploitation Asuccessful vulnerability. the content to exploit malicious with a request construct can A attacker remote configurations. module common or default with subsystems multiple affecting issue of an aresult as servers unpatched on code to execute arbitrary attackers 2018 allow which executions, to remote code prevent March apatch in released team Drupal’s security Drupal. system management content the use Throughout April 2018, AnonPlus Italia claimed responsibility for defacing 21 websites, 20 of which atwebchat.anonplus.cf. resides now IRC Its new attacks. recent about information to host domains these uses It Anonplus.rf.gd. and Anonplus.tk own website. AnonPlus Italia announced its return with a new manifesto posted on its domains, 2018, their entirely. March created In networks members social to stop using decided group the and suspended was AnonPlus’s @AnonPlus_info, main account, leak, the Following offline. taken was IRC, server the AnonPlus the on posted was data the After citizens. of innocent information contained it since collective the within debate internal an provoked leak The Party. Democratic Florence the from data personal leaked and of website the attacked also has It government. Italian the against political in involved been 2018, has Italia AnonPlus Since institutions. financial as well as States United the and Italy in websites government-related against attacks launched has group This Italia. Anonymous with affiliated not is Italia AnonPlus IRC. asecure and presence asocial to maintain struggled since has and groups by rival hacked was AnonPlus creation, its after Shortly members. Anonymous for developed service networking asocial 2011,In of becoming purpose the with created was AnonPlus accessible website(s) to gain as much notoriety as possible. Defacements primarily leverage unpatched website vulnerabilities, remote Nearly any website can be targeted by a hacktivist. Attackers will will Attackers by ahacktivist. targeted be can website any Nearly

1.4 are also updated. Often times, these attacks attacks these times, updated. Often also are devices employee that all ensure and devices Tonetwork. prevent this, update network onto payloads their malicious to deliver daily target for possible exploit kits designed Organizations themselves a consider should everyone. nearly target tools can These RANSOMWARE AND MINING MALWARE. DEPLOY TO USED OFTEN NOW ARE KITS EXPLOIT CRYPTOMINING. OF POPULARITY INCREASED THE FOLLOWING THEM UPDATING STOPPED KITS EXPLOIT OF AUTHORS CRYPTOMINING. AS SUCH VECTORS, ATTACK OTHER OF POPULARITY THE TO DUE USED BARELY NOW IS IT ATTACKS, FOR AVENUE A POPULAR ONCE MACHINE. A VICTIM’S ONTO PAYLOADS MALICIOUS DROP TO USED PAYLOADS AND EXPLOITS SPECIFIC CONTAINING TOOLKITS PREPACKAGED ARE KITS EXPLOIT Kits Exploit CYBERTHREATS landing pages.landing for their fall will that someone hope the in masses the target kits of exploit authors and link, weakest the are Humans education. page. Training withuser start preparation and employee an once visits the landing malicious are browser based and exploit vulnerabilities

PAGE 11 RADWARE HACKER’S ALMANAC PAGE 12 RADWARE HACKER’S ALMANAC

RIG EXPLOIT KIT KIT EXPLOIT TERROR EXPLOIT KIT GRANDSOFT MAGNITUDE EXPLOIT KIT in Internet Explorer, Java, Flash or Silverlight, it infects the victim and delivers its payload. its delivers and victim the infects it Silverlight, or Java, Explorer, Flash Internet in discovered been has user’s in the browser. flaws vulnerability a Once to security locate JavaScript embedded an containing page to alanding redirected are users Similarly, malware. data-stealing or miners coin with victims today infecting for leveraged is it payloads, ransomware delivering for past the in Known of Terror kits. fall the exploit after exploits active most of the one is RIG pages. landing its for HTTPS Terror uses also campaigns. malvertising with involved been also has it but software, cryptomining other and CCMiner Terror, to install used is Neptune, as known also Internet exploits, Explorer Flash exploits or an RCE in vulnerability the Windows VBScript engine. via victim’s the infects machine GrandSoft payloads. mining and ransomware dropping began 2017 in 2014 in it to resurfaced have disappeared when thought but was kit exploit legacy This kit. the containing page landing to the traffic the to generate users requires and model campaign apay-per- uses Magnitude authors. its for week per of dollars thousands estimated an generating payloads, ransomware download and victims to infect used Today Necurs. generally is it and Andromeda , as such payloads to download to attacker the remote access allows Magnitude PHP.net, kit, the in used by exploit was the it infected Yahoo Once and attacks. WordPress when fame gaining payloads, and of exploits avariety contains that kit exploit an is Magnitude advanced spear-phishing pages can be used to target corporations. corporations. to target used be can pages spear-phishing advanced PREFERRED TARGETS: acryptominer. or like ransomware malware or credentials capture can attacker the infected, Once website. acompromised from distributed MODUS OPERANDI: An exploit kit is prepackaged malware that is found and traditionally traditionally and found is that malware prepackaged is kit exploit An The target for exploit kits is typically an end user’s end browser. an More typically is kits exploit for target The

1.5 typically more profitable.typically are attention less that attract Campaigns therebyand discouraging them from paying. potential victims of attention, notifying deal agreat generate campaigns ransomware because off tapered has trend This criminals. among for-profitrecently popularity gained only has but existed decades for over two of profit.has the Ransomware percentage or price established for an own campaigns their to launch ability the users novice offers which industry, (RaaS) ransomware-as-a-service followed have the also researchers Radware years, the recovered. Over have keys cases been certain in Only OR NOT TO PAY THE EXTORTIONIST TO RECOVER THE DECRYPTION KEY. DECRYPTION THE RECOVER TO PAY TO EXTORTIONIST NOT OR THE AND THE IS VICTIM FACEDUNUSABLE THE WITH DECISION OF WHETHER ATTACHMENTTHE MALICIOUS OR LINK. ONCE INFECTED, IS THE DEVICE PHISHINGSCALE CAMPAIGN IN THE HOPE THAT SOMEONE WILL OPEN ALARGE- DISTRIBUTES OFTEN ATTACKER THE DECRYPT. TO PAYMENT FOR EXCHANGE IN FILES COMPUTER’S INFECTED AN DATA ENCRYPTING BY USER TO ACCESS RESTRICTS THAT MALWARE OF ATYPE IS RANSOMWARE Ransomware CYBERTHREATS gain unauthorized access to device. infected an access unauthorized gain Trojans kits, exploit to of exploits use the and include of infection forms Other document. a malicious containing spam/phishing emails via ways, commonly various most in delivered be can Ransomware critical. is network your up shoring campaign, of aransomware target a be could thatIf you organization your think shipping, in the of hope finding some success. manufacturing, retailindustries, including and of range a wide target groups generate, most attention that ransomware campaigns of of amount the Because campaigns. cryptojacking now prefer who attackers, incredibly popular, has fallen out of favor with before settling down. Ransomware, once beginning the in activity of increased pattern follow a standard Ransomware campaigns

PAGE 13 RADWARE HACKER’S ALMANAC PAGE 14 RADWARE HACKER’S ALMANAC LOCKY SAMSAM NOTPETYA WANNACRY in healthcare, education and government verticals because they were identified as probable payers. payers. probable as identified were they because verticals government and education healthcare, in primarily were that victims targeted selectively operators SamSam the attacks, their with opportunistic and random are groups and campaigns ransomware most Although $1 over million. attackers the earned has arena, ransomware in the groups and campaigns profitable more of the one SamSam, rather a campaign to designed wipe infected computers. but ransomware not was NotPetya that determined was it research, further attacker. the with After email provider eventually shut down the extortionist account, making it impossible to communicate The campaign. the during arise did However, damage. issues in $1 over several billion caused and computers 200,000 than more infected attack The Ukraine. from solution software workflow and accounting apopular MeDoc, from update software amalicious from originated attack This government. to Russian the attributed campaign ransomware famous another was NotPetya malware from ’ NSA dump. EternalBlue disclosed recently the leveraged operator. the for margin profit alow WannaCry with afailure considered was campaign the of monetization, terms In $1 billion. approaching damages total with 150 across countries computers 300,000 over infected and victims 200,000 over affected campaign The Group. Lazarus of the amember Hyok, Jin Park programmer Korean to North back tracked was and years recent in campaigns ransomware famous more of the one was WannaCry and pray” technique designed to send infected documents to as many people as possible. possible. as people to many as documents infected to send designed technique pray” and PREFERRED TARGETS: downloads. drive-by via spread be also can botnet. Variants MODUS OPERANDI: versions, with some of the latest including techniques to avoid detection. several have released Locky behind authors the years, the Over emails. phishing these out sent typically botnet Trojan. Necurs The the download would that Word document malicious a containing campaign 2016 in of aphishing appeared that part as variant aransomware is Locky Ransomware typically spreads via phishing emails sent out from a spam aspam from out sent emails phishing via spreads typically Ransomware There is no preferred target for ransomware. Ransomware is a “spray a“spray is Ransomware ransomware. for target preferred no is There 1.6 computer anonymous and internet viewing. the user’s the monitoring crashing screen, modificationor deletion, keylogging, malware, file additional installing or downloading theft, data attack, DDoS or “zombifying” the machine within a botnet to, not limited but including, tasks, criminal various perform can attacker An ACCESS AND UNAUTHORIZED ACCESS OF THE INFECTED MACHINE. INFECTED THE OF ACCESS UNAUTHORIZED AND ACCESS REMOTE FOR A INSTALL OFTEN HORSES TROJAN ATTACKS, WEB AND ENGINEERING SOCIAL VIA SPREAD GENERALLY SOFTWARE. AS OR A LEGITIMATE NONMALICIOUS, OTHERWISE USEFUL PIECE OF MASQUERADING PROGRAM COMPUTER A MALICIOUS IS HORSE A TROJAN Trojans CYBERTHREATS

Trojan payloads. to malicious download the allowing download, adrive-by via infects aopens malicious document via phishing or employee an Often network. your infecting from employee prevent an help hygiene user and education Proper devices. user and vector, secure both your corporate network of attack thatIf this you you atarget think are

PAGE 15 RADWARE HACKER’S ALMANAC PAGE 16 RADWARE HACKER’S ALMANAC ZEUS TINYLOADER Emotet is a piece of malware that targets the banking industry. Once a system is infected, Emotet infected, is asystem Once industry. banking the targets that of malware Emotet apiece is dangerous. or innovative more significantly not are thus and code, source Zeus to original the similar are versions custom well-known most the even that have discovered researchers security However, detection. harder in resulting Zeus, with issues toexisting the fix attempted IX) Ice as (such code leaked the on based bots custom advanced more of the bots. Some Zeus-based customized 2011, May In to various leading leaked, was 2of Zeus version for code source the Ukraine in connection with this ring. and Kingdom United the in arrested were others and States, United the in members suspected of arrests 90 over made FBI The computers. Zeus-infected with individuals American from million to $70 over steal ring crime 2010, 2010 organized by an October an attempt attack including throughout occurred Zeus involving Attacks 2009. March in began use however, widespread its of Transportation; U.S. the to Department attack used was it 2007 in when detected was Zeus botnet. of aDDoS-purposed part as to used be machine infected the on abackdoor installs Zeus Additionally, grabbing. form and keylogging man-in-the-browser user’susing a from browser information financial Trojan steals that awell-known horse is Zeus AbaddonPOS. as such programs, malicious other installs and TinyLoader, downloads with it infected Once afew kilobytes. only typically is size, its which from malware’s originates The name Trojans. banking and point-of-sale to deliver used malware backdoor infamous an is TinyLoader throughout a network. Some of its more notable campaigns include Pinkslipbot and . propagate to spreader a includes Emotetalso files. embedded PDFs with and links download attacks. Infections originate typically from users opening malicious documents containing infected DoS launching for modules and theft information account bank for malware banking other installs

KOVTER financial industry.financial the lure target to afinancial with emails Trojans, Trickbot, Emotet and as spear-phishing use such PREFERRED TARGETS: malware. other downloading or for exfiltration or theft data keylogging, DDoS, in use future for downloads, drive-by and phishing as such attacks, engineering social via to victim the spread MODUS OPERANDI: avictim’s on drive. itself hard storing keys without avictim’s targets it that registry meaning malware, “fileless” as known is files. Kovter office infected as such documents malicious contain opened, when attachments, These well. as ransomware delivered it once but campaigns, malvertising and attachments spam Trojan click-fraud via This spreads families. malware updated commonly most of the one is and fraud ad to commit devices network to target designed malware is Kovter Typically, Trojan malware is packed inside a legitimate software program and and program software Typically, alegitimate inside Trojan packed is malware Like exploit kits, Trojans target the end user’s devices. More advanced advanced More user’s Trojans end devices. kits, the target exploit Like

PAGE 17 RADWARE HACKER’S ALMANAC 2.1 PAGE 18 RADWARE HACKER’S ALMANAC Operators with objectives specific require tools. to advanced more develop ability the with disposal at their skills and techniques of avariety possessing governments by backed often are groups These Threat Persistent Advanced could be affected due to geopolitical events. to due geopolitical affected be could APTs, with targeted commonly industries all most the among are companies utility and play. Although the government and financial in to to due resources the complex attribute Government-backed are the most operations publicity. They are methodical surgical. and of deal agreat generate and purposes they do, when they havebut specific groups doThese not indiscriminately, attack network. targeted a on data sensitive live-monitor and access techniques and exploits, this troop can Using various intelligence-gathering durations. for long network the in foothold a to maintain of covertness degree a high THREAT ACTORS THREAT ESPIONAGE AND SUBVERSION FOR FINANCIAL OR POLITICAL MOTIVES. OR FOR POLITICAL ESPIONAGE AND SUBVERSION FINANCIAL INCLUDE OBJECTIVES WHOSE THOSE BY POSED ACYBERTHREAT DESCRIBE TO TERM USED ACOMMONLY IS (APT) THREAT PERSISTENT ADVANCED

future attacks. future prevent help can attempts spear-phishing Traininglink. and how to them phishing spot Yourtraining. weakest the are employees like employee is this attack preventing an step in first the Often network. your secure to measure necessary group, take every APT of thatIf an you you atarget think are

Threat Persistent Advanced

EQUATION GROUP | | UNITED GROUP EQUATION KOREA | NORTH GROUP LAZARUS APT28 | user data. user relies on spear-phishing campaigns to deploy malicious malware to designed exfiltrate orencrypt typically group This attacks. SWIFT finance-targeted the and outbreak ransomware WannaCry Ten 2014 Sony the including of Days Rain, decade, the past the over breach, data attacks various for 2019 since responsible is operation in and been has group nation-state This government. Korean North the with associated group acybercrime is Cobra, Hidden Group, aka Lazarus companies. global several and events sporting media, the elections, government target They world. the around agendas political influence and disrupt compromise, they anetwork, inside Once malware. customized to deploy attacks spear-phishing and exploits different for notorious is group This countries. Western with allied agencies government and of organizations to array an threat aconstant represents and 2008 since operation in to have been known is group nation-state 26165 Unit units, 74455. Unit agency and This intelligence military Russian two with associated group acyber-espionage Group, is Bear, Sofacy Fancy as and Pawn Storm known APT28, also .Lazarus by the attack WannaCry of the basis the as served which EternalBlue, included publication the in Group’s tool set containing undisclosed exploits and posted them to GitHub. contained Exploits Equation compromised had they that announced Brokers Shadow 2016,In The group hacking the firewalls. and switches routers, as such hardware used commonly to compromise ability the has group this NSA’s of the program, components intelligence largest of signal the one As domestic. and bothStates, foreign United of the enemies infiltrating and 1998, since monitoring operation in been has group nation-state (NSA). This Agency (TAO) Security National of the Operations Access Tailored the with associated unit intelligence-gathering and acyberwarfare is Group Equation The

PAGE 19 RADWARE HACKER’S ALMANAC PAGE 20 RADWARE HACKER’S ALMANAC

APT1 | key business and military strategies. military and key business both strengthen and economy country’s their benefit will that data any for look They infrastructure. PREFERRED TARGETS: data. exfiltrate and network the on users more to compromise designed malware deploy and privileges to escalate look attackers compromised, is user a Once credentials. capture and user aspecific compromise MODUS OPERANDI: data. targeted exfiltrate and access future to gain dumping password and malware attacks, spear-phishing with this accomplish They corporations across vertical, every with emphasis on manufacturing, and engineering electronics. from information confidential and secrets trade stealing on focuses group government-backed This from U.S.corporations. information and property intellectual stealing for members of five indictment the including of attacks, to anumber attributed been has and 2006 since operating be to known been has group Army. nation-state People’s This Liberation Chinese the with associated organization acyberwarfare Group, is APT1, 61398 Unit Comment as The known and also Nation-state operators often rely heavily on spear-phishing attacks to attacks spear-phishing on heavily rely often operators Nation-state Nation-state actors typically target the public sector, utilities and critical critical sector, and public the utilities target typically actors Nation-state 2.2 for rent via the darknet. the via for rent to known make botnets available been also massive volumetric attacks, but they have amplification and methods tolaunch services own stresser utilize their often groups These massive organizations for profit or fame. botnets to large have target constructed emergence of denial-of-service groups that an been there has recently time, only but for some around have been attacks DoS THE RESOURCES OF A SINGLE MACHINE. MACHINE. ASINGLE OF RESOURCES THE EXHAUST TO MACHINES MULTIPLE ATTACK USES A DDOS MACHINE. ANOTHER OF RESOURCES THE ATTACK EXHAUST TO AN LAUNCH TO MACHINE ASINGLE UTILIZES ATTACKER AN WHEN ATTACK IS DOS ASTANDARD USERS. ITS TO UNAVAILABLE SERVICE NETWORK OR A COMPUTER RENDER TO DESIGNED CYBERATTACKS ARE ATTACKS DOS Groups of Denial THREAT ACTORS THREAT - Service - emergency response plan is also required. required. also is plan response emergency An traffic. legitimate affecting not adversely while that strike network your anomalies block and identify to efficiently ability the mitigation are recommended. requires This volumetric protection for real-time DDoS that combine on-premise and cloud-based mitigation DDoS devices. Hybrid capabilities attacks to designed overwhelmmitigation Burst floods to saturation from ranging vectors of to attack array an face prepared is that network your ensure organization, your targeting is group If adenial-of-service

PAGE 21 RADWARE HACKER’S ALMANAC PAGE 22 RADWARE HACKER’S ALMANAC LULZSEC MCA DDOS TEAM DDOS MCA HACKERS SQUAD GHOST SQUAD LIZARD to sensitive information and publishing this data. data. this publishing and information to sensitive access gaining observed been also has group this attacks, to DDoS addition In industry. the within OpIcarus, a prolonged campaign against financial institutions in response toallegedcorruption on Anonymous as such groups hacktivist with collaborated group This ISIS. and Klan Ku Klux the Forces, Defense U.S. the Israeli military, against 2016 since attacks active notable been with has It speech. anti-hate and of anti-government support in attacks launches Hackers Squad Ghost arrest. his before attacks to $1.2 DDoS close made selling million member, Squad aLizard AppleJ4ck, services. their to advertise attacks to launch stressers these used often Members Shenron. and Stresser Lizard as profit,such asubstantial made that services stresser successful ran it because campaigns conducted never Squad Lizard payment. demanding emails ransom out sent and Squad Lizard to impersonate attempted groups RDoS 2014. Day Christmas on Live Xbox and 2016, In PlayStation as such copycat several networks 2014 from gaming active was against Squad Lizard attacks to for 2016 notoriety gained and attacks. DoS launching as well as information personal and private publishing individuals, and corporations agencies, government of networks computer the infiltrated group This existence. of its peak the during occurred which attacks, high-profile numerous for responsible group hacking acomputer was LulzSec political or moral view. A DDoS attack is used to silence or embarrass their targets. targets. their embarrass or to silence used is attack view. ADDoS moral or political opposing an with else anyone and corporations governments, include targets Their activists. PREFERRED TARGETS: successful. proved waves of bandwidth pulsing or bursting with combination in attacks botnet-based volumetric, Recently, combing attack. of the origin the mask and bandwidth more produce will amplification while of security, layers additional any allow for will Spoofing amplification. or spoofing allows that one is vector attack MODUS OPERANDI: governments. Gabon and Israeli Philippine, the against activity 2012. hacktivist since in active engaged group The been has that Philippines the from group hacktivist motivated apolitically is Arm Cyber Magdalo Threat actors typically leverage botnets and attack scripts. The preferred preferred The scripts. attack and botnets leverage typically actors Threat Those that conduct DDoS attacks outside of extortion tend to tend be of extortion outside attacks DDoS conduct that Those

2.3 their own attacks. attacks. own their to others paying launch and stressers renting on rely instead and solely attacks conduct to unable largely they vectors, are but attack code tobasic Python automate basic DDoS may download attackers systems. These those penetration found within testing typical tools or GUI-based utilize basic mainly and point to make apolitical innocent the target also hackers These enemies. considered also are cause the not that join do Those cause. their against action is inaction believe They protested the involved in event. directly is they think who anyone attack groups These ATTACKS IS AND IDEOLOGICAL A POLITICAL DIFFERENCE. THESE OF CORE AT THE CHARGE. OF FREE INFORMATION SENSITIVE DOX/POST TO WILLING OFTEN AND MOTIVATED FINANCIALLY NOT ARE ATTACKERS ATTACKS. THESE XSS OR SQLI DDOS, LIKE ATTACKS OR ACTION. ATTACKS MOST AND APPLICATION OF CONSIST NETWORK DUE TO OPPONENTS AGAINST A POLITICAL OPINION CONFLICTING ACTS MALICIOUS OR PROTESTS DIGITAL STAGE TO CAPABILITIES CYBER USE THAT GROUPS DRIVEN POLITICALLY ARE HACKTIVISTS Hacktivists THREAT ACTORS THREAT advanced notification.advanced related to event the hashtags to provide In addition, monitor social for media specific two-factor authentication where applicable. enforce and accounts media social Secure toseeking compromise your network. of possible increases in malicious emails patched. employees and Inform updated are networks that all sure Make operation. days beforethe publicly announced and annual are attacks Most attributes. accordingly based on the aforementioned network your prepare of ahacktivist, target the is that it thinks If organization your

PAGE 23 RADWARE HACKER’S ALMANAC PAGE 24 RADWARE HACKER’S ALMANAC WIKILEAKS (CCC) CLUB COMPUTER CHAOS advocates for more transparency in government, and the human right to right human the and of information freedom government, in transparency more for advocates CCC the of information.” general, In freedom for borders across strives which orientation, societal or of sex, age, race independent forms, of life community “a as galactic itself describes CCC The Computer Club Schweiz. Chaos association sister independent the in organized are Switzerland in chapters Some countries. (called chapters local with an as incorporated is It members. 7,700 with of hackers (CCC) Europe’s is association Club largest Computer registered Chaos The 2012. since in of Embassy the in hiding been has and director and editor-in-chief since its launch. , an Australian internet activist, is generally considered its founder, first the in 10 years of 10 documents adatabase million claims Press, Sunshine organization the by Iceland in in 2006 initiated Its website, sources. anonymous by provided media classified and leaks news information, secret publishes that organization nonprofit international an is WikiLeaks people.” of the hands the in back power the “Putting slogan the featured group’s The websites. its logo on messages peace and weapons anti-nuclear inserted and time, atthat hack mass largest the including reasons, political for hacks conducted group The 3, 1998. June on Neyveli, in (BARC) Centre Atomic Research facility, Bhabha research nuclear of India’s computers primary the penetrating for known best is team hacking international This to prosecution. avoid identities members’ conceals often which milw0rm, about known is Little access to computers, technological infrastructure and the use of open-source software. software. of open-source use the and infrastructure technological to computers, access universal free for fights also club the ethic, hacker of the principles the Supporting communicate. Erfa-Kreise eingetragener Verein ) in various cities in and other German-speaking German-speaking other and Germany in cities various ) in (registered association) in Germany, in association) (registered

GROUP ANONYMOUS with a political opinion or lifestyle with which the hacktivists disagree. disagree. hacktivists the which with lifestyle or opinion apolitical with PREFERRED TARGETS: them. with associated indirectly or directly anyone and targets attheir directed attacks denial-of-service and defacements , include operations Normal MODUS OPERANDI: chatrooms. online secret in operations discussing world, the over all from come speech.” Members free on war “jihadis’ the for retaliation in 1,000 websites than more terrorist down taken already has It of ISIS. service recruitment online vowed to the destroy group This . to crack computers uses and emails “phishing” with details into revealing targets to websites that host questionable/unethical content. Anonymous swamps websites, tricks governments and businesses big from have ranged targets of which group anti-establishment an as known is It decade. past the during turn larger, afar sinister have more taken activities their but fun, for websites striking of amateurs acollection as 2003 in started Anonymous Hacktivists typically engage in crowdsourced operations or team efforts. efforts. team or operations crowdsourced in engage typically Hacktivists Hacktivists’ targets include corporations or individuals associated associated individuals or corporations include targets Hacktivists’

PAGE 25 RADWARE HACKER’S ALMANAC 2.4 PAGE 26 RADWARE HACKER’S ALMANAC Insiders limit insider knowledge and access and and access and knowledge insider limit compromising your organization, move to immediately. is employee If an authorities the threat, contact insider of an atarget is organization your If you believe theft. data and cyberattacks against defenses your best of one as them ensure motivation helps and employer. Ensuring employee happiness and employee to between of level the trust due to threat business your critical most the represent might of employees types These OBJECTIVE IS PROFIT,OBJECTIVE COMPANY OR SHAMING ESPIONAGE. EMPLOYEES PRIMARY OR WHOSE DISGRUNTLED OPPORTUNISTIC TYPICALLY ARE THREATS FACE. THESE CAN ORGANIZATION AN THAT THREATS DAMAGING MOST THE OF ONE ARE THREATS INSIDER THREAT ACTORS THREAT data on social media. social on data employees accidently or maliciously leak athreat. Sometimes present also employees actors, innocent to addition In malicious devices. other into plugged be that can hardware network or points access rogue drives, USB include Items can facilities. your in placed have been Look for unauthorized hardware that may property. the from remove employee the

ESPIONAGE OPPORTUNISTS CASH OUT DISGRUNTLED EMPLOYEES industry who can assist in committing fraud. fraud. committing in assist can who industry financial the in employees incentivize or to compromise look often attackers These customers. organization’s the against of fraud process to the aid them allow that acorporation in to positions access gain deliberately to be. They seem they who not are employees some trend, agrowing In event. swan black resulting to any isolate plan emergency an to is prepare threat this with way to deal best company. the to The expose needed or its superiors. these Often employees sit at their position for years collecting the information company the to damage motivation as serve can it them, wronged has company their that perceive employees When organization. an for risk cybersecurity ahuge be often can employees Disgruntled so.do to access coworkers’ steal or privileges their abuse typically They profit. for goods digital steal and arises moment the when act only They employers. their to how or hack security network about knowledge advanced possess not do who citizens law-abiding generally are insiders Opportunist insider threat. threat. insider PREFERRED TARGETS: traffic. network corporate to inspect points access rogue deploy also can Insiders alure/trap. as insider by an behind left devices USB/mobile or emails phishing via theft credential or data include MODUS OPERANDI: intellectual property. and data stealing of purpose sole the for company by aspecific employed is who employee an to spot, involves hardest of the one often and attack theft apremeditated espionage, Corporate Insiders typically depart the organization with sensitive data. Other methods methods Other data. sensitive with organization the depart typically Insiders Employers, coworkers and direct supervisors are the main targets of an of an targets main the are supervisors direct and coworkers Employers,

PAGE 27 RADWARE HACKER’S ALMANAC 2.5 PAGE 28 RADWARE HACKER’S ALMANAC Organized as point-of-saleas ATMs. systems and such targets physical as well as extortion, for executive the class include targets paying. High-profile often organizations the in result which demands, ransom for risk at also are institutions financial withcompanies large customer bases, stolen data is usually valuable. Besides any attention. addition, In garner typically customers any resulting because outages of numbers large with organizations target typically and spans time target(s) short in their spam will often They exploit. financially can they believe they that organizations groups strikeThese or individuals “DIGITAL GANGS” THAT TO MALICIOUS CONDUCT USE COMPUTERS Cybercrime DENIAL OF SERVICE FOR RANSOM, CRYPTOMINING AND FRAUD. FRAUD. AND CRYPTOMINING RANSOM, FOR SERVICE OF DENIAL RANSOMWARE, AS SUCH ATTACK VECTORS EXTORTION-BASED INCLUDING OPPORTUNISTIC, TO DIRECT FROM ATTACKS OF AVARIETY LEVERAGE CYBERCRIMINALS ORGANIZED PROFIT. FINANCIAL BY MOTIVATED ACTIVITY DESCRIBES THAT TERM UMBRELLA AN IS CYBERCRIME ORGANIZED THREAT ACTORS THREAT

harvest and steal credentials. steal and harvest to designed malware financial systems with point-of-sales via networks or skimmers with stores in machines targeting of criminals wary In addition, retailers be should particularly response plan in place for extortion attempts. to prepare for, corporations should have a difficult and attacks are often unannounced authentication wherever possible. Because two-factor utilizing updated, patched and system your you not keep do if susceptible Your weak. the on more is organization prey cybercriminals devices; and data your of security the ensure gang, cybercriminal of a target the is If organization your

FIN7 RTM DARK HOTEL personal data. data. personal their and users end over systems banking targeting criminals in shift the support procedures and techniques tactics, globally.Carbanak’s institutions 100 over from financial 1billion stealing for eponymously named malware, Carbanak. The group targets financial institutionsand is responsible its for notorious group cybercrime Spider, organized an is Carbon as known also Carbanak, collecting personal information/data. for page to phishing its users ahotel’s to redirecting WiFi, compromise known is group the 2000s, early the since Active States. United the and Asia in centers business and hotels atluxury staying to targets malware delivering campaigns, spear-phishing its for popular agroup is Hotel Dark accounting software. target and credentials user log Trojan RTM to victims, on spy The used is countries. neighboring and Russia in systems remote banking on data user targets group Trojan The RTM. malware, 2015, own since its for active known is group, apparently which cybercrime organized an is RTM network systems. network to access remote providing and exfiltration data for malware Carbanak leveraging witnessed been has and victims its to target malware point-of-sale leverages group This verticals. hospitality and retail against attacks for known is group,which cybercrime motivated,organized Fin7 afinancially is

PAGE 29 RADWARE HACKER’S ALMANAC PAGE 30 RADWARE HACKER’S ALMANAC

MORPHO/WILD NEUTRON GROUP medium-sized businesses that are most vulnerable and due to their propensity to pay. propensity to their due and vulnerable most are that businesses medium-sized and small extort cybercriminals organization, to amafia Similar organizations. to large users PREFERRED TARGETS: victim’s the knowledge. without data card credit to capture websites e-commerce popular on skimmers digital or physical deploy will groups advanced more of the Some websites. to advanced assaults. Most commonly, they deploy malware via phishing emails or compromised MODUS OPERANDI: when it infected companies such as Apple, and Twitter. attention gained and certificates signing code stolen utilized group the attacks, recent In malware. multiplatform using chaining exploit and attacks Water as Hole such vectors attack leveraged that of operations anumber conducted has group this decade, last the Over Europe. and States United the in effort particular with world, the around espionage corporate on focuses group This Morpho. or Jripbot by name the goes also that group cybercrime organized an is Group Neutron Wild Organized cybercriminals will use nearly any attack vector, from basic legacy vector, legacy attack any basic from nearly use will cybercriminals Organized Cybercriminals follow the money. They will target anyone from individual individual from anyone target money. the will follow They Cybercriminals 2.6 could be considered an act of act war. an considered be could geopolitical turmoil because these actions cause can attacks event, resulting and to a political furiously and quickly respond will groups These hackers. nation-state rogue or a have from is threat the to if determine create problems for victims they because can attacks aresult, these As government. for a operating hackers by freelance by launched attacks citizens attacks or retaliatory be can and aggression foreign to response in typically are attacks These CONSIDERED TO BE ENEMIES OF THE STATE. THE OF ENEMIES BE TO CONSIDERED ACTIONS NETWORKS BY GOVERNMENT HACKING WHO ARE INDIVIDUALS NONGOVERNMENT DESCRIBE TO USED IS HACKERS” “PATRIOTIC TERM WHO GENERALLY FOLLOW SOME FORM EVENT. OF POLITICAL THE CYBERATTACKERS MOTIVATED POLITICALLY ARE HACKERS PATRIOTIC Hackers Patriotic THREAT ACTORS THREAT maximum damage.maximum cause networks), can which vulnerable with target low-hanging (i.e., fruit organizations highest priority. attackers These typically the be should employees and network your Protecting capabilities. cyberattack type by governments but possess government- backed Patriotic not are typically groups well. as groups threat persistent advanced with concerned be you should hackers, of thatIf patriotic you you atarget think are

PAGE 31 RADWARE HACKER’S ALMANAC PAGE 32 RADWARE HACKER’S ALMANAC

SYRIAN ELECTRIC ARMY 2.0 TARH ANDISHAN The Sunday Times Sunday The eBay, , Microsoft, portal, Corp’s Marine recruiting States United the ITV, on to attacks linked been has group the account, Twitter Press Associated the to hacking addition In companies. technology and organizations news on mostly focused of attacks to astring linked been has SEA The U.S. contractors. defense as as well Europe, and East Middle in the websites government hacked also has It conflict. Syrian to the neutral seemingly are that websites and groups rights human organizations, news Western groups, opposition political targeted has it attacks, DoS and phishing malware, defacement, website spamming, Using al-Assad. Bashar President 2011 of Syrian government the to support in online surfaced first that hackers of computer agroup is (SEA) Army Electronic Syrian The apparently, the common belief is that he is an officer of Russia’s Main Intelligence Directorate. Russia’s of Intelligence Main officer an is he that is belief common apparently, the however, nationality; of Guccifer’s exist 2016. in reports Committee Varying National Democratic the from emails stolen with WikiLeaks providing for credit took who 2.0 hacker” “lone the is Guccifer Cleaver.” “Operation termed been has what under globally companies private and systems, military and government agencies, prominent on of attacks number alarge launched has group this tactics, advanced other with along injections, SQL and backdoors systems, propagation wormlike automated of. using By capable is group hacker asophisticated what demonstrates Andishan Tarh globally), located members fringe multiple Tehran, in with (along based Iran many members, 20 estimated an With Israel). and States by (created United the attack worm the from recovering still was Iran while created was “innovators”) meaning translation (aTarh Farsi Andishan , The , Time Out Time , NBC, The Onion The Daily Mail Daily The , Outbrain, , Outbrain, and and Le Monde The New York New Times The Forbes . , The ,

,

THE JESTER/TH3J35T3R attack key figures and corporations associated with opposing political parties. political opposing with associated corporations and key figures attack PREFERRED TARGETS: exfiltration. data and theft credential malware, worming as such techniques, advanced more use 2.0 SEA and Guccifer as such actors whereas defacements, and attacks DDoS in Jester, The engage as who such hacktivists, political considered be just could actors these cases, some In operators. by nation-state posed to those MODUS OPERANDI: States. United the within issues political on focuses Jester The years, recent In awebsite. down taken to have successfully purports he “TANGO Twitter on DOWN” whenever Jester’s to is of tweet The traits One to “XerXeS,” have as developed. claims he known tool which aDoS uses Jester The patriotism. of American out to acting be claims He websites. Islamist and Ahmadinejad Mahmoud President Iranian , WikiLeaks, on attacks for to responsible be claims He hacktivist. as a hat” “grey himself describes who vigilante computer unidentified an is Jester The The primary methods of these groups range greatly from hacktivist abilities abilities hacktivist from greatly range groups of these methods primary The Political hackers typically target government agencies but are known to known are but agencies government target typically hackers Political

PAGE 33 RADWARE HACKER’S ALMANAC 2.7 PAGE 34 RADWARE HACKER’S ALMANAC Denial Denial Ransom fake RDoS groups that target hundreds hundreds that target groups fake RDoS However, stated as earlier, also are there vertical. asingle in of victims a handful only target typically criminals RDoS Actual of have targets. array an criminals These to fake groups. be deemed both have been and campaigns, ransom to known is launch notes; ransom however, RDoS out sent neither have allegedly Squad Lizard and as such Groups of others. names the profit off to emerged has of copycat groups number Additionally, a years, several over last the techniques. cyberattack nonvolumetric and both volume combine attacks advanced most The volumes. large generating without techniques efficient and topiercing more find However,attacks. vogue in increasingly is it DDoS of take volumetric form the typically 2010 since have increased attacks and These real. is that threat the evidence as victim’s the on attack network small-scale a launch will attackers cases, some In Serviceof UNAVAILABLE UNLESS A RANSOM IS PAID BY A SPECIFIED DEADLINE. DEADLINE. A SPECIFIED BY PAID IS ARANSOM UNLESS UNAVAILABLE CAPABILITIES OR OPERATIONS ITS RENDERING BY ORGANIZATION AN ATTACK TO THREATENING A LETTER SEND PERPETRATORS THE ATTACK, RDOS AN IN GAIN. MONETARY BY ATTACK MOTIVATED (DDOS) OF-SERVICE DENIAL- DISTRIBUTED OF ATYPE IS (RDOS) SERVICE OF DENIAL RANSOM THREAT ACTORS THREAT

indicators to distinguish between the two: the between toindicators distinguish several are unit, amateur there an or group hacking acompetent from noteransom comes a to if determine impossible almost is it Although companies simultaneously. of number alarge such attack and through follow could group way no is there asingle time. reality, In expiration and address a single day, leveraging the same in verticals multiple across of companies Ð Ð Ð Ð Ð Ð Ð Ð Ð Ð the group known forDDoSattacks? Look forother suspiciousindicators:Is companies, allwithinthesame industry they normallytargetlessthan adozen When hackerslaunchreal RDoS attacks, websites ortargetlists “Fake” groups donothaveofficial “fake” groups excludethe“demo”attack “Real” groups prove theircompetence; different amountofmoneythantheoriginal Fake RDoSgroups oftenrequest a

XMR DD4BC PHANTOM SQUAD ARMADA COLLECTIVE and now uses XMR. This group has also engaged victims by sending out threats via Twitter. via threats out by sending victims engaged also has group This XMR. uses now and changes currencies as its campaigns continue. The group with began euros, followed by , also group The recognition. to garner campaign original its during up set likely awebsite, and account official Twitter an has XMR_Squad others. from different notably were but States, United 2017. in the and emerged Germany in XMR_Squad companies group targeted RDoS Its attacks campaign. attack DDoS multivector apersistent launched group time, the allotted the in paid not was ransom the If attack. DDoS by asample followed industry, asingle in companies note to select aransom by DD4BC sending as pattern mission same the followed group This Switzerland. and Russia, in services hosting and sites e-commerce banks, on focused of attacks 2015, in of aseries DD4BC, with rise the surfaced after Collective Armada original The arrests. members’ before attacks late 2015, in notoriety 2014 in 100 over executed gaining confirmed Emerging group this rapidly and awave extortionists. of other inspired and tactics extortion DDoS of the pioneer the was DD4BC easier to extort. to extort. easier therefore are and mitigation and detection DDoS advanced lack that businesses medium-sized and PREFERRED TARGETS: attack. adenial-of-service launch will attackers the paid, not is ransom the If competence. to prove their attack asample with it follow MODUS OPERANDI: attack. an with through follow not did group the because fake deemed was threat The States. United the and 2017 Asia Europe, September throughout to companies in demands ransom 2015. spamming from Squad began Phantom group new notorious This original, of the 2017 in name same the emerged leveraged and of extortionists group Another Typically, RDoS actors will send an extortion demand to their victim and and victim to their demand extortion an Typically, send will actors RDoS Like organized cybercriminals, RDoS extortionists tend to target small small to tend target extortionists RDoS cybercriminals, organized Like

PAGE 35 RADWARE HACKER’S ALMANAC 3.0 PAGE 36 RADWARE HACKER’S ALMANAC Cybersecurity Cybersecurity in cybersecurity. cybersecurity. in prevalent so of unknown the fear the eliminate you can procedures, and techniques tactics, cybercriminal understanding aware By be of advance. in should to events that organizations responses planned and coordinated However, carefully are of attacks other percentage alarge Forecast HOURS. PREDICTING THESE TYPES OF ASSAULTS IS NEARLY IMPOSSIBLE. NEARLY IS ASSAULTS OF TYPES THESE PREDICTING HOURS. DAYS OF OR MATTER THE IN ARISE CAN THAT SITUATIONS OPPORTUNISTIC OF RESULT THE GENERALLY ARE ATTACKS DARK. AHAYSTACK … THE IN IN ANEEDLE FINDING TO AKIN IS CYBERATTACKS FORECASTING ACCURATELY DDOS for ideological reasons. For example, Israel faces a yearly campaign, OpIsrael, that is executed executed is that OpIsrael, campaign, ayearly faces Israel example, For reasons. ideological for opposed are that events social or economical, political, with associated cyberattacks to face expect now can regions and Nations releases. product or tournaments gaming during of services degradation and attacks expect can industry gaming the in operators network example, For events. specific with parallel in occur often they but duration, and size in vary campaigns Denial-of-service large-scale service outages. service large-scale to of events prevent ahead systems their of auditing apattern develop should and attention cyber unwanted draw will events sporting large with associated Organizations season. hunting of the start atthe operation, Anonymous annual an by OpKillingBay, to targeted be expect can dolphins) and (whales life of sea shipping and hunting the with indirectly and directly involved Organizations 7–14. April annually

SOCIAL EVENTS MALICIOUS BOTS these events are easy to forecast but difficult to pinpoint a starting point. Attacks typically include include typically point. Attacks starting a pinpoint to difficult but to forecast easy are events these Typically, elections. political as such events, social to target known have been also actors bad These them. targeting by generated be can that profit the and events of aware these are herders Bot attendees. and providers service suppliers, sponsors, partners, to organizers, arisk present Cup World and Olympics Bowl, Super The vendors. and sponsors for risk elevated an bring can events by high-profile created environments target-rich and crowds The events. social on based forecasted be also can activity Malicious marketplaces. online to just limited not of is bots threat The spamming. review to and rating addition in fraud, ad and carding exhaustion, inventory from suffer also September, can but during activity scraping web in spikes witnesses either. typically It exception no is industry travel The fraud. ad and of inventory, carding to related denial activity bot in spikes witness Valentine’s and Monday Friday, typically Day Black as Cyber such Holidays and August as bot herders become more competitive during the slower shopping months. June between activity increase typically industry e-commerce the target that Scrapers activity. malicious for preparing with operators network assist can this observed, If pattern. predictable amore follow typically bots bad consumers, for prices gathering or content new for internet the daily, active are bots crawling good most bots. While “bad” are there bots, and “good” are There draws near.draws election an as activity cyber in spikes for prepare they so patterns to recognize need governments and operators network election, of an voters. To to integrity the manipulate used be maintain can bots Social information. distorting or atcensoring aimed defacement web and assaults DDoS

PAGE 37 RADWARE HACKER’S ALMANAC 4.0 PAGE 38 RADWARE HACKER’S ALMANAC Proactive defend itself if/when an attack is launched. launched. is attack an if/when itself defend to positioned better be will organization of time, your ahead attack an may trigger event that for an motive. prepare If you can have to most a but predict, impossible are advance of potential conflicts. Some threats conduct major audits of your networks in Second, direction. right step in the first the is patched software consistently and hardware Ensuringweaknesses. updated regularly your vectors, organization’sattack understand potential and enemy the Before researching networks. its tactics, techniques and procedures against have to leverage an opportunity the latest latest the threats before criminals researching constantly is team, aproactive which requires cybercriminals.modern Information security of to work ahead must get organizations strategy. To threats, for future prepare of ahurry-up-and-wait luxury the omits industry. Today’s landscape threat evolving aproactive, is not aretroactive, Cybersecurity Measures ENEMY BUT ALSO UNDERSTANDING BUT ALSO ENEMY YOUR ORGANIZATION’S NETWORK. YOUR ONLY KNOWING NOT MEANS ORGANIZATION YOUR SAFEGUARDING DDoSWarriors.com. tools, and visit types attack emerging about more learn or of cyberattacks vectors, understand the business impact To today’s about more know attack threats and budget. needs, its fits that best solution optimal the capabilities, requiring each company to select various options deployment with and different solutions in come Cybersecurity choices. many with menu carte ala an is it rather but protection is not a one-size-fits-all menu, DDoS solution for your organization. DDoS optimal the you allows to select infrastructure Last, your IT and understanding network threatdifferent groups. for attack vectors leveraged commonly by prepare can organization your attacks, launch how hackers and limitations its network, your how they attacks. launch By understanding way the they and operate cybercriminals, by knowing of front problem the in get Third,

5.0 from auser’sfrom browser. even —and server the off data text clearing or passwords keys hashed or encryption stealing through transit in or at is rest data the while — Theft Data fool the user. to content spoof or machine local the attack disclose thecan user’s end token, session user’sto end an browser. attack Asuccessful attack an to transport amechanism as used be can application web The application. by the used input of user validation no is there where flaw application aweb through scripts aremalicious injected into websites — Scripting Cross-Site with bandwidth-amplified attacks. to address IP spoofed the responding servers in the list, resulting amplification the on device to every requests spoofed of sending process automate and then the list amplification an as known servers of alist vulnerable generate will attacker The attack. amplification an protocola vulnerable of capable facilitating with server exposed locate an must attacker an attack, traffic. amplification an launch To attack the protocols to amplify server of different advantage that takes attack attack is a sophisticated denial-of-service — Amplification Attack Sensitive data is compromised Glossary An amplification An In this attack, In this attack,

web server and replacing the current website website current the replacing and server web a of website the by hacking appearance visual — Defacement packets. These requests are specifically specifically are requests packets. These spoofing, reflective malformed techniques or not use do Floods server. web targeted HTTP to sent a POST or requests GET of HTTP legitimateseemingly sets session-based of consist floods These applications. and servers web to by hackers attack used — HTTP/S Flood amplified attack. zone to victim’s the an in resulting address, IP all knownsending information the about DNS by responds server DNS The address. IP to victim’s spoofed its be address IP source the with servers DNS to of alist open request “ANY” an lookup name that sends DNS attack — DNS aC&C server. via attacker the IoT infected innocent, by controlled devices often are attacks the out carrying machines infected The strength. and effectiveness its increasing thereby attack, aDDoS out carry employsimultaneously multiple machines to of attackers agroup or attacker an when A distributed occurs attack denial-of-service — (DDoS) of Service Denial Distributed most associated commonly with SQL. attacker’s the is with content attack own. This A DNS amplification attack is an an is attack amplification ADNS The attacker The modifies the An attack method method attack An

PAGE 39 RADWARE HACKER’S ALMANAC PAGE 40 RADWARE HACKER’S ALMANAC devices to distinguish between legitimate and and legitimate between to distinguish devices security for network hard is it today because servers web threats facing advanced most of the two are attacks Flood HTTPS and attack’s the power. overall increasing HTTP of abotnet, by means masse en sent often are requests Such of service. adenial in result can therefore and of server’s the resources todesigned consume a significantamount between 10,000x and 51,000x. bandwidth amplification factor can range Memcached The victim. the address, IP forward an amplified response to thespoofed and request to reply GET the will servers Memcached list. As a result, the amplification onthe the vulnerable servers Memcached to request GET aspoofed send will attacker 11211port step, second the In the exposed. UDP with servers Memcached of vulnerable list amplification an builds First, attacker the to that attack. of similar aDNS tasks malicious two performs attacker the which in attack denial-of-service volumetric aUDP is attack Memcached — to executed be locally. server to script target the to malicious the upload has to attacker the vulnerability, RFI, this with — (LFI) Inclusion File Local server. target the a denial-of-service condition is achieved for until request ICMP incoming every to process that attempts server atarget overwhelm can latency-testingnetwork “ping” packets) — (especially packetsof ICMP of type any large number Flood — abnormally an sending operations, diagnostics errors. ICMP and An for IP protocol used aconnectionless is (ICMP) — Protocol Message Internet Control traffic. HTTP malicious Internet Control Protocol Message A Memcached amplification A Memcached Although similar

Once an associate falls victim to victim these, the falls associate an Once to key target associates. designed or company the in to sent everyone either are attempts organization or the company itself. These atrustworthy as by posing information personal solicits attacker website. or The email sensitive information by using a malicious Phishing — network. its flooding —thus victim the — IP address spoofed to reply the amplified large, the send servers NTP aresult, the As servers. NTP — to of alist vulnerable server NTP to addressed the that connected hosts 600 of alist last the requesting a command — monlist packets containing NTP spoofed — NTP arbitrary code execution.arbitrary to severity, the lead on could it depending but contents the of file, the outputting as minimal as be can This validation. proper without to of due user-supplied use the input occurs server. web the vulnerability on script The a via file, hosted aremotely usually include to attacker an It websites. allows running PHP on found often most is of vulnerability Remote File Inclusion (RFI) — of control server. the full taking in result can and system the functionality abuse or and/ information sensitive to extract machine atarget’s on command or code malicious to attacker’s an are execute attacks ability compromised. Remote code execution completely being tomay lead server the server, which of aDrupal injection code to may lead remote exploitation A successful malicious content to exploit the vulnerability. with arequest construct can attacker Remote — Code Execution systems. to certain to access gain required information have then sensitive the will hacker An NTP amplification An sends assault A digital attempt to attempt obtain Adigital A remote This type type This

because the delay could be normal and and normal be could delay the because request SYN-ACK connection packet for each to for a continue wait will attack SYN Flood a under Aserver packet arrives. that never ACK for an wait to and subsequently request malicious for each aconnection to open to attempt machine target the causes This addresses. IP spoofed to using it requests machine by of thousands sending connection — SYN device. the on services the all contains answer amplified to victim’sthe machine that an with back replies list the on device UPnP ssdp:rootdevicean ssd:all or to sent each packet with spoofed The devices. (UPnP) play plug-and- to of alist universal active address victim’s the packets containing spoofed IP SSDP — more. and database the in create objects server, the on or drop remote commands run unauthorized data with administrator access, to to access gain query SQL application an vulnerable.become Attackers modify can they not are sanitized, inputs application the When coding. application of poor advantage — Injection SQL foraccess malicious activity. system gain or fraud commit cyberattacks, for future to are motives information gather of time, the Most attacker’s the support. or of to wanting emotion help human natural victim’s the off played has hacker the because information or give unauthorized access confidential divulge have victim targeted the to is goal The hacking. human as known psychological manipulation, more commonly — Engineering Social A SYN Flood overwhelms a target atarget overwhelms ASYN Flood An SSDP amplification attack sends SSDP amplification sends An attack This technique This takes A process of Aprocess (typically the ). Servers need to open open need to firewall). the Servers (typically way the on entities of network the one or of server targeted the tables connection session/ the not return, overwhelming will thus IP, SRC the (SYN-ACK reply the so packet) spoof will attackers cases, many In victim. the SYN packets to numerous sending involves popular denial-of-service attacks, TCP Flood — TCP Flood continues. attack flood the as long as for continues process This of connections. the any out time server’s TCB can beforeit table of half-open fills connections quickly up the the connection requests, the massive number a SYN-ACK for of any packet arrives never However, congestion. related to network since spoof the SRC (source) SRC the spoof IP. attackers the cases, most In pipe. internet the to is saturate intention Flood of aUDP main have of any handshake type mechanism, the protocol is “connectionless” not and does UDP the Since ports. to or random destination packets UDP to large asingle sends — Flood UDP attack. the of strength biggest the perhaps is —which IP areal use not have to does attacker the attacks, level SYN packet. TCP Unlike other application- or each has process also to afirewall that on legitimate ones. happen can Similar effects including to requests, new drop starts server the happens, this Once table. the fill that will of amount packets SYN to asufficient send may be, easy is it table this size. as big As they that storehave limited state this tables in and SYNa state packet for each that arrives, One of the oldest, yet very yet of oldest, the very One In a UDP Flood, the attacker attacker the Flood, aUDP In

PAGE 41 RADWARE HACKER’S ALMANAC www.radware.com

© 2019 Radware Ltd. All rights reserved. The Radware products and solutions mentioned in this document are protected by trademarks, patents and pending patent applications of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.