1. INTRODUCTION
History:
In the past couple of weeks Kenyan organizations and government institutions have faced attacks from the hacktivist group Anonymous Sudan. The attacks have been in the form of Distributed Denial of Service, which involves the use of multiple computers (bots or ‘zombies’) to target a specific application or website with the goal of exhausting the target system’s resources, which, in turn, renders the target unreachable or inaccessible, denying legitimate users access to the service.
The affected companies have faced extended periods of service outages as their websites and portals are flooded by throngs of malicious traffic from the Hacktivist group. Anonymous Sudan who are a religiously- and politically charged hacker group are affiliated to the infamous Killnet hackers also known for DDoS attacks. It primarily targets organizations with critical infrastructure and services to cripple their operations.
Who/What is affected
Government and corporate entities whose services are vital and should be readily available are among their primary targets. Worth noting is that the malicious actors have also been vocal in the social media about expanding the scope of the attack to banks and other critical infrastructure. Their main vector of attack is through public facing infrastructure such as websites, online portals, API endpoints, mail servers, and web applications.
2. TACTICS TECHNIQUES AND PROCEDURES (TTPS) OF ANONYMOUS SUDAN
Research into Anonymous Sudan’s TTPs reveals the following common characteristics:
- Owing to their motivation and determination to defend Islam and nation states pro-Islam, Anonymous Western targets, or NATO-linked countries. It also targets states against Sudan.
- They thrive on launching DDoS attacks against their targets. You could recover from the attacks if you had hardened against DDoS attacks through measures such as load balancing and web traffic filtering.
- They target governments or public institutions’ websites as seen in the Microsoft attacks as well as local attacks in the past 6 months.
- They rely heavily on social sites such as Telegram and Twitter (now X) to share info on victims and next targets.
- They are associated with other known hackers such as Killnet and hacker groups that have common goals with them.
2.1 MITRE Map
2.1.1 Reconnaissance
- T1595: Active Scanning
- T1589: Gather Victim Identity Information
2.1.2 Resource Development
- T1583: Acquire Infrastructure
- T1584: Compromise Infrastructure
2.1.3 Credential Access
- T1110: Brute Force
2.1.4 Impact
- T1498: Network Denial of Service
- T1489: Service Stop
2.2 Primary Anonymous SUdan Tactics
2.2.1. DDoS attacks on the OSI model:
- layer 4 (SYN flood attacks)
- layer 7 (high volume POST/GET requests) to cause resource exhaustion and system failure.
2.2.2. Brute-force dictionary attacks against:
- SSH (port 22) primarily targets the root account.
- Minecraft and TeamSpeak servers
2.2.3. They launch social media channels, especially Telegram to beckon those willing to and contribute their infrastructure to the Anonymous Botnet.
2.3 Types of Attacks
As observed in the past flurry of attacks the malicious group uses:
2.3.1 HTTP(S) flood attack are an application-level (Layer 7) attack which involves sending high volumes of HTTP(s) requests and SSL/TLS handshakes than the target system can handle.
Figure 1 An Illustration of HTTP Flood Attack [Source: Cloudflare]
2.3.2 SYN flood attack – a denial of service attack that continuously sends initial connection requests (also called SYN packets) to a server in large volumes thereby consuming all the server resources (ports) and denying legitimate traffic. The affected server may be slow at responding to connection requests or not allow connections at all.
2.3.3 Cache bypass – an attempt to bypass the CDN layer leading to overloading of origin servers.
2.3.4 Slowloris – it occurs when a “client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly). This forces the web server to keep the connection open and the requested resource in memory.”
The group has a servers and machines recruited to act as bots to generate traffic of up to 600Gbps or send HTTPS requests averaging millions of RPS. They are currently launching social media campaigns to recruit more computers to the bot network(botnet). In addition, research reveals that Anonymous also use public cloud infrastructure and proxies to generate attacks as well as randomize the source of the attacks.
3. RECOMMENDATIONS
- Put publicly facing applications and services behind web application firewall and ensure proper configuration of the same.
- Load Balancers or application delivery controllers, such as Anycast Network Diffusion, are used to divide traffic during a DDoS attack across several destinations that share a common IP address.
- API Gateways are used to rate limit API requests to applications or services.
- Hardening underlying infrastructure such as web servers, application serves.
- Audit connection points to your network for any vulnerabilities. These include VPNs, application gateways.
- Blacklisting unknown persistent IP addresses pinging pubic facing infrastructure or use ACLs to block traffic from malicious subnets.
- Implementing edge defense such as SASE architecture.
- Develop DDoS response and business continuity plan.
- Enable firewall logging for ease of auditing of accepted and denied request. This will help with investigations of the source of the attack.
4. HOW CAN YOU PROTECT YOURSELF AGAINST RANSOMWARE GROUPS
CYBER1 Solutions can help you meet and comply with below NIST Cyber Security Framework (CSF) that is applicable to your environment.
4.1.1 Identify
- Asset management
- Business environment
- Governance
- Risk assessment and Management
4.1.2 Protect
- Access controls
- User awareness and training
- Data security
- Information protection and procedures
4.1. 3 Detect
- Anomalies and events
- Security continuous monitoring
- Detection processes
4.1.4 Respond
- Response planning
- Communication
- Analysis
- Mitigation
- Improvement
4.1.5 Recover
- Recovery planning
- Improvement
- Communication
CYBER1 Solutions will provide protect and detect services as outlined above as per the situation at hand. However, we are also capable of providing end-to-end coverage on the NIST CSF as needed.