ddos, cyber security, Fancy Lazarus, DDoS attack, FBI reporting

Credit: Dreamstime

Security researchers are tracking a new distributed denial-of-service (DDoS) extortion activity by threat actor group Fancy Lazarus. The attacks have been primarily targeting US and global organisations from a range of sectors including energy, financial, insurance, manufacturing, public utilities and retail.

The group – which formerly used monikers such as Fancy Bear, Lazarus, Lazarus Group, and Armada Collective, among others – went on hiatus for around a month from April to May 2021 following a campaign of ransom DDoS attacks against global financial institutions and organisations that started in mid-to-late August 2020.

“In each case the threat actor demanded bitcoin payment or else a small-scale denial-of-service attack would be launched with a more substantial attack mere days later,” Proofpoint researchers explained in a blog posting. Now, the group has resurfaced with a new name and changes in its tactics, techniques and procedures (TTPs).

Changes to Fancy Lazarus’s DDoS attack method

These variations indicate the group’s determined effort to evolve their activities, the researchers said. The changes are the ransom pricing – reduced from 10 bitcoin to a starting price of two bitcoin (most likely in recognition of bitcoin’s fluctuating value) – and the wording used in the emails sent to recipients.

“There are three email variants sent to the same recipients conveying the same information, except with the email body in plain text, HTML, or as a JPG image attachment. This is likely an attempt to evade detections,” the researchers wrote.

Previously, the sender would, at times, include the targeted company’s highest-ranking person such as the CEO’s name. In the most current campaign, a random first name, last name format is used and the names appear fictional, researchers said.

“It is interesting that the group is still going back and tweaking the original email, potentially indicating its effectiveness. Between August 2020 and now, however, they have tried completely different text in the emails,” researchers added.

How Fancy Lazarus structures the DDoS attacks

The emails begin with an announcement of the name the group is now using and acknowledge that the victim organisation has been specifically targeted. The email urges the target to perform a Google search as proof of the group’s “previous work” and recent high-profile victims such as the New Zealand Stock Exchange. “You don’t want to be like them, do you?” the email asks.

The email then outlines, in detail, the process by which the attack will take place, stating that the recipient’s network will be subject to a DDoS attack in seven days that can only be avoided by paying a fee of two bitcoin by the stated deadline.

To prove their seriousness, the attackers claim they will begin a small attack on a “few random IPS” that will last for around two hours. “It will not be a heavy attack, and will not cause you any damage,” the email continues.

When it comes to the full-scale assault, the group claims there is no counter-measure due to the power of the attack, which they state will peak at over two Tbps.

“This means your websites and other connected services will be unavailable for everyone,” the email reads. “If you don’t pay the attack will start and the fee to stop will increase to four bitcoin and will increase by one bitcoin for each day after the deadline that passed without payment.”

The growth of ransom DDoS attacks

Speaking to CSO, Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, explains that, while ransom DDoS attacks are not a recent development, the growing adoption of cryptocurrency is significantly driving a surge in the amount of ransom DDoS attacks taking place.

“More recently, there was an uptick in ransom DDoS activity starting last year with the activity coming from this group. Since August 2020, when we first began tracking this activity, Proofpoint researchers have seen about 180 customers spanning a multitude of diverse and unrelated verticals sent these extortion emails. About 59 of those were seen in the first month.”

Ransom DDoS attacks are also becoming increasingly effective, DeGrippo adds, particularly against organisations that lack web application firewalls or upstream service providers that can effectively filter DDoS traffic from legitimate traffic.

“Threat actors are always looking for the most efficient means of getting what they want, in this case a financial payoff,” she adds. “DDoS attacks have become increasingly easier to launch and have a potentially substantial payoff for considerably less work than something like a ransomware attack would require. Additionally, by conducting this type of attack, the threat actor bypasses automated security protections that would flag and block ransomware.”

Regarding the legitimacy of the group’ claims that their assault will peak over two Tbps, DeGrippo admits that, without full visibility into the attacks, it is difficult to validate for certain.

However, “based on FBI reports and information sharing groups, some attacks have reportedly reached approximately two Tbps,” she says. It is also worth noting however that FBI reporting has indicated that many affected companies that have passed the threatened deadline have either not seen any additional activity or the activity has been successfully mitigated.

Regardless, organisations should be prepared for such attacks by having appropriate mitigations in place, DeGrippo concludes. “This includes using a DoS protection service and having disaster recovery plans at the ready. Good response falls into good technology and partnerships to help filter DDoS traffic when under attack. Organisations must have a plan in place for what to do in these scenarios before they happen.”


Japan travel news, japan travel guides, japan holiday destinations and japan reviews

LATEST NEWS

NEWS RELATED

Xiaomi’s foldable smartphone with Snapdragon 888 processor expected to launch later this year

Smartphone maker Xiaomi launched its first foldable smartphone — Mi Mix Fold in March this year. Now a leakster claims that the company is working on its second foldable smartphone.According to Digital Chat Station, the upcoming foldable smartphone from Xiaomi comes with an inward folding design same as the Mi…

Read more: Xiaomi’s foldable smartphone with Snapdragon 888 processor expected to launch later this year

Zebronics launches smartwatch with SpO2, blood pressure monitor and voice calling at Rs 3,999

Domestic brand Zebronics has expanded its product lineup with the launch of its latest smartwatch — Zeb-FIT4220CH. The smartwatch offers features like SpO2 and blood-pressure monitor. The budget smartwatch also offers a calling feature. The device allows users to dial and answer calls right from the smartwatch. The device also…

Read more: Zebronics launches smartwatch with SpO2, blood pressure monitor and voice calling at Rs 3,999

How Apple Watch took on Fitbit, and won – but can Facebook steal the smartwatch crown?

The Apple Watch has come a long way since it hit our wrists six years ago.  It was initially deemed a flop in 2016 and failed to win customers over in the months after it launched. Now it’s the most popular smartwatch in the world, with a 55 per cent…

Read more: How Apple Watch took on Fitbit, and won – but can Facebook steal the smartwatch crown?

BMW S 1000 R motorcycle launched in India at Rs 17.9 lakh

German luxury automotive group BMW on Tuesday launched the all-new BMW S 1000 R motorcycle model in India with price starting at Rs 17.9 lakh (ex-showroom). The second generation BMW S 1000 R is being imported as a completely built-up unit (CBU) and can be booked at all BMW Motorrad…

Read more: BMW S 1000 R motorcycle launched in India at Rs 17.9 lakh

Google shows duration of ongoing calls in the status bar on Android 12 Beta 2

One of the key new Android 12 features announced at Google I/O 2021 was Privacy Dashboard. The second beta rollout of Android 12 is finally here. Android 12 Beta 2 will bring many of the best features of Android 12 to life that may have not been available previously. The…

Read more: Google shows duration of ongoing calls in the status bar on Android 12 Beta 2

Meron Capital launches USD 50 million fund to invest in promising Israeli entrepreneurs

One Meron co-founder says the firm is like a ‘startup investing in startups.’

Read more: Meron Capital launches USD 50 million fund to invest in promising Israeli entrepreneurs

London’s LED neon light startup Yellowpop closes $4M as growth funding

Since the innovation of neon lights, many changes have been applied to them to make them more efficient. LED neon lights are one of them that made it more efficient to use domestically and for industrial use. London-based, Yellowpop – a home brand specialising in LED neon signs, recently announced…

Read more: London’s LED neon light startup Yellowpop closes $4M as growth funding

A case for cloud repatriation, but let’s be careful before extrapolating to mainstream enterprises

Challenging some of the Silicon Valley influencers who've made the case for cloud repatriation...

Read more: A case for cloud repatriation, but let’s be careful before extrapolating to mainstream enterprises

ByteDance scores its first mobile game hit in China in ongoing battle with market leader Tencent

Route Mobile finds place in ROCCO SMS Messaging Vendor Benchmarking Report 2021

Apple unveils Beats Studio Buds with active noise cancellation

How restaurants in India are bypassing the duopoly of Zomato and Swiggy

EU court backs national data watchdog powers in blow to Facebook, Big Tech

Samsung unveils new multi-chip package for 5G smartphones

AI enters debt collection: London startup Ophelos secures £1.6M funding

‘Everwild’ release date, gameplay: Rare’s adventure game goes through complete reboot, report says

OTHER NEWS