Posted on March 4, 2018 at 6:28 AM
Memcached servers have been exploited in creating the largest ever DDoS attack. Now, researchers say that traffic was embedded with ransom notes, requesting Monero.
Increased activity from hackers
Hackers have been launching DDoS attacks in droves over the past week. Targets are varied, but traffic levels are unprecedented. Notably, Github was subject to a massive 1.35 Tbps attack, cited as the largest ever. After examining the attacks, Akamai has reported that hackers are doing more than raising traffic levels to debilitating levels. Now, hackers are embedding ransom notes directly in the traffic. This is something heretofore unseen.
Although demanding crypto payment is nothing new for hackers, extorting targets with inbound traffic flow is unusual. Recent attacks have relied on Memcached servers to bring targets down with amplification attacks. According to Akamai, there are over 50,000 such servers that are vulnerable. These servers are ripe targets for hackers seeking to implement Memcache reflection. In a blog post, Akamai notes that the Github attack was more than double the size of the 2016 Mirai botnet attacks. It is posited that due to the number of unsecured Memcache servers, that attack will soon be outpaced. Memcache reflection could allow for unknown amplification of traffic flow.
Memcache reflection has older roots
Akamai is not the only entity warning about the threat of Memcache reflection. On February 28, Qrator says that huge DDoS attacks are a real threat. They say that a 0Kee, a China-based team of researchers, credit the concept of Memcache reflection to a 2014 security conference talk. At that time, Black Hat introduced a concept called “Memcached injection,” which seems to have given rise to this new method of traffic increase.
Ransom notes are the attack, but paying is unwise
In a Thursday blog post, Brian Krebs says that Cybereason is tracking Memcached attacks. Cybereason also found that hackers were embedding ransom notes and payment addresses into the junk traffic sent via their attacks. Akamai specifically found a note demanding 50 XMR or Monero. These funds were to be sent to a digital wallet address. In USD, the ransom comes out to $1,600. Cybereason says that hackers are attacking people with continuously repeated ransom notes. Messages are repeated until the file size reaches one megabyte, which is then requested from Memcache servers over and over. When files are bounced through multiple Memcached servers, the result is a massive amount of information, with a very simple script.
It is unknown if anyone has actually paid these ransoms. Monero is fairly difficult to trace, more so than popular cryptos like bitcoin. Akamai researchers have no way of knowing whether Monero payments have come from targeted companies. On the flip side, hackers may have difficulty identifying exactly who has paid them as well. Akamai says that paying these ransoms is not a wise course of action, due to the fact that trackers may not know who to stop bombarding once funds are received. Of course, paying such ransoms is never a good idea, because even if hackers were able to identify the source of funds, they would be unlikely to stop the attack.
Akamai is working on new ways to increase cybersecurity daily, and it should be noted that they were able to thwart the attack on Github. In the meantime, hackers will continue to widen their range of abilities.