This is an FAQ about DD4BC that I wrote for Akamai, and it appeared here and here.
DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai’s PLXsert and CSIRT teams continue to investigate attack activity related to the group.
In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That’s up from the high of 15-20 Gbps observed in early May. (A full history of the group’s exploits and firepower can be found in this advisory from April.)
Below are the most commonly asked questions we’ve received from customers, along with some answers.
What is new since the last update?
The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company’s reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack.
Sometimes you hear of third party content providers getting compromised. Those are the widgets that sites use for content links. Those may be in the form of little ads or may be a “You’ll never believe what this Hollywood star did!” Sites trust those providers to load content into their site. But what happens when one of those get compromised by hackers? The hackers can then push their message or their malware onto dozens or possibly hundreds of sites all at once. Want to know more about it? I wrote a section on “Emerging Threats” for the Akamai State of the Internet Report. I’d suggest the reading the whole thing but my part starts on page 29.
I was asked by my colleague Bill Brenner to step in and film a whiteboard video for Akamai. The topic was pre-chosen for me, Vulnerability Assessment vs. Penetration Testing (pentesting). We filmed the video a couple weeks ago (those lights are hot!) and the whiteboard video should be out by January. But in the meantime, Bill suggested that my script would make a good blog post. So I said sure, put it up. Here is the blog post from my video script: