Upload
radware
View
640
Download
2
Embed Size (px)
DESCRIPTION
At GovernmentWare 2013 (GovWare) in Singapore, Radware Emergency Response Team (ERT) leader Ziv Gadot shared this presentation on the long-running cyberattack, Operation Ababil. Learn more about the history and origins, the list of financial targets and the four unique phases of these attacks. For more on Radware security and the ERT, visit http://security.radware.com
Citation preview
#Operation Ababil
The Never-ending Attack on US Banks
Ziv Gadot
SOC/ERT Group Leader
Radware
Origination & History
Case Study
Conclusions
Origination & History
“Innocence of Muslim” Movie Trailer
4
July 12th 2012
“Innocence of Muslims”
trailer released on YouTube
Sep 11th 2012
World wide protest against the movie
resulting the death of 50 people
Operation Ababil
5
Sep 18th 2012
Operation Ababil Begins
The cyber attack is
an act to stop the
movie
First targets:
• Bank of America
• NYSE
Group name:
“Izz ad-din Al qassam
cyber fighters”
Attack Span
6
Q4 - 2012 Q1 - 2013 Q3 -2013 Q2 - 2013
Sep 18th, 2012
Operation Ababil Begins
(Phase I)
6 weeks
Q3 - 2012
Dec 10th, 2012
Phase II
7 weeks
Mar 5th , 2013
Phase III
8 weeks
July 23th ,2013
Phase IV
8 weeks
July 12th 2012
Innocence of
Muslim
Sep 11th 2012
Physical Protests
Target List
7
Major banks hit with biggest cyberattacks in history – CNN
Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions – Informationweek
Phase3/W4 Operation Ababil - pastebin.com
Hacktivists Suspend DDoS Attacks - bankinfosecurity.com
Insult Formula – Phase IV
8
Phase 4 will take
8 weeks
“Based on the formula which is
approved for paying, the united
states must still pay because of
the insult”
http://pastebin.com/22WJ6m9U
Servers Enlisted to Launch the Attack
9
OpAbabil Introduces
‘Server-based Botnets’
Advantages
• Firepower
• Reliability
• Control
'itsoknoproblembro' is a general purpose
PHP script injected into the servers allowing
the attacker to upload and execute arbitrary
Perl scripts
Case Study
Case Study Background
• A large US bank
• The attacks started since October 2012
• The bank had already invested in anti-ddos solution
– Both ISP provided this service
• While most Network (UDP, ICMP and SYN floods) were
mitigated, the Application (HTTP, HTTPS) attacks passed
• Outage occur on daily basis
– IT department was frustrated and exhausted
• At this point our Emergency Response Team joined in, and we
got visibility into the attack patterns
11
Attack Vectors
• Network Level Attacks
– UDP
– ICMP
– SYN Flood
• Application Level Attacks
– HTTP attacks
• URL Attacks
• Search Page
– HTTPS
• TLS/SSL Negotiation Attacks
• Login Page DoS
– Bypassing Mitigation Challenges
12
TLS/SSL Negotiation Attacks
TLS/SSL Negotiation Attacks
14
Login Page DoS
Login Page DoS
• The Login Page is a critical resource
– Usually the first HTTPS transaction
– No user is identified yet
– No Load-Balancing yet
• The attacker clearly used malformed usernames
• Attempts to block this usernames with a signature caused the
attacks to change the usernames
16
Bypassing Mitigation Challenges
Challenge Technology
• HTTP Challenges
– 302 Redirect + Cookie
– JavaScript
18
Existing JavaScript
<html>
<body>
<script>
document.cookie='eeeeeee=ff85bb7eeeeeeee_f
f85bb7e;
path=/';window.location.href=window.locati
on.href;
</script></body></html>
Attacker Pass JavaScript Challenge
19
}
if(preg_match("/\"(.*)\"/",$cookie,$var_val)){
if(!preg_match("/\'/",$var_val[1]) ||
preg_match("/\"/",$var_val[1])){
$cookies[] = trim($var_val[1]);
}
}
}
}
if(preg_match_all('/document.cookie[^\=]*\=([^\;]*);/i',$co
ntent,$setcookie)){
foreach($setcookie[1] as $cookie){
if(preg_match("/\'(.*)\'/",$cookie,$var_val)){
if(!preg_match("/\'/",$var_val[1]) ||
preg_match("/\"/",$var_val[1])){
$cookies[] = trim($var_val[1]);
}
} if(preg_match("/\"(.*)\"/",$cookie,$var_val)){
if(!preg_match("/\'/",$var_val[1]) ||
preg_match("/\"/",$var_val[1])){
$cookies[] = trim($var_val[1]);
}
}
} April 2013
Attacker passes
DefensePro
JavaScript challenge
Attack Script ‘OutFlare’ Malware
Feb 2013
‘OutFlare’ malware
passes CloudFlare
challenge mechanism
Short Term (Hot Fix)
20
Existing JavaScript
<html>
<body>
<script>
document.cookie='eeeeeee=ff85bb7eeeeeeee_f
f85bb7e;
path=/';window.location.href=window.locati
on.href;
</script></body></html>
Alternative JavaScript
<html>
<body>
<script>
var n_d8ey="fffffff",eq_1="=";
var hi_2a="324fd333";
var hi_3="yyyyyyy";
var Qr789_a33="_",Z1_792="qqq";
var hZi_sd1="qqqq";
function JSRa23nd_1()
{
return
hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi
_sd1+Qr789_a33+hi_2a;
}
//document.cookieee("yyyyyyy=3HH133d
7yyyyyyy_3HH133d7")
var cRokie1_78=JSRa23nd_1();
document.cookie='cRokie1_78;
path=/';window.location.href=window.
location.href;
</script></body></html>
Long Term
21
Existing JavaScript
<html>
<body>
<script>
document.cookie='eeeeeee=ff
85bb7eeeeeeee_ff85bb7e;
path=/';window.location.hre
f=window.location.href;
</script></body></html>
Polymorphic JavaScript <html>
<body>
<script>
var n_d8ey="fffffff",eq_1="=";
var hi_2a="324fd333";
var hi_3="yyyyyyy";
var Qr789_a33="_",Z1_792="qqq";
var hZi_sd1="qqqq";
function JSRa23nd_1()
{
return
hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi_sd1+Qr789_a33+hi_2a;
…
Polymorphic JavaScript
<html>
<body>
<script>
var n_d8ey="fffffff",eq_1="=";
var hi_2a="324fd333";
var hi_3="yyyyyyy";
var Qr789_a33="_",Z1_792="qqq";
var hZi_sd1="qqqq";
function JSRa23nd_1()
{
return
hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi
_sd1+Qr789_a33+hi_2a;
}
//document.cookieee("yyyyyyy=3HH133d
7yyyyyyy_3HH133d7")
var cRokie1_78=JSRa23nd_1();
document.cookie='cRokie1_78;
path=/';window.location.href=window.
location.href;
</script></body></html>
Existing JavaScript
<html>
<body>
<script>
document.cookie='eeeeeee=ff
85bb7eeeeeeee_ff85bb7e;
path=/';window.location.hre
f=window.location.href;
</script></body></html>
Obfuscated JavaScript
eval(function(p,a,c,k,e,d
){e=function(c){return
c.toString(36)};if(!''.re
place(/^/,String)){while(
c){d[c.toString(a)]=k[c]|
|c.toString(a)}k=[fun
Combination
Produce challenges that are
virtually impossible to cheat
Conclusions
Attack Becomes more Advance and Persistent (APT)
Slide 23
Operation Ababil 2012-2013
•Duration: Over an Year
• At least 20 Attack Vectors
•Sophistication level = High APT
Score
•OpIsrael 2012
• Duration: 6 Days
• 5 Attack vectors
• Sophistication level = Med
Operation Payback 2010
•Duration: 3 Days
• 4 Attack vectors
• Sophistication level = Med
Time
Operation Vatican
Duration: 20 Days
• 7 Attack vectors
• Sophistication level = Med
10
Summary
• Operation Ababil is the single biggest DDoS Attack in History
– Attackers demonstrated their capabilities
• Duration
• Find blind spots in mitigation
• Bypass mitigation techniques during the campaign
• Most of the victims had already budget well anti-DDoS solution
– CPE based solutions did not handle pipe saturation
– Cloud-based solutions are not designed for long attacks
– ISP based solution did not handle Application attacks well
• How can such attack be stopped?
24
DoS & DDoS Mitigation History
• 2010
– Nobody cared about DoS & DDoS
• 2011
– All you needed to do is to buy proper anti-DoS Solution
• 2012
– Acquire ability to fight back during the attack
– Acquire Response Team on your side
• 2013
– Build an Anti-DoS Architecture!
25
Anti-DoS Architecture
26
Protected
Organization
• 85% of the attacks can be mitigated at
organization perimeter
• Allows maximal visibility and control of
the attack
On-Premise
Protection
Application Attacks
Scrubbing Center
Extremely Sophisticated Attacks
should be mitigated by in the Cloud
using its agility but only when needed
Response
Team
Network Attacks
(Volumetric)
Scrubbing Center
Today APT attacks
requires not only machines
but also human experts on
your side
Network (Volumetric)
attack should be
mitigated in the cloud to
protect the pipe but only
when needed
Q&A
Thank You www.radware.com
For More on Radware Security and our Emergency
Response Team, visit:
http://security.radware.com