The largest Russian bank Sberbank hit by a massive DDoS attack

Pierluigi Paganini November 09, 2023

The largest and oldest bank in Russia Sberbank faced the record-breaking DDoS attack that reached 1 million RPS.

Sberbank , the Russian banking and financial services giant, announced that it was recently hit by a record-breaking distributed denial of service (DDoS) attack that reached 1 million RPS.

After the invasion of Ukraine, most Russian organizations and international companies still operating in Russia became the targets of multiple groups of Pro-Ukraine hacktivists.

According to the bank, the last took place two weeks ago and it was the most powerful attack in its history.

“If we talk about DDoS, the last attack was probably two weeks ago. It was the most powerful attack in our history. It was about three to four times more powerful than the most powerful before.” said Herman Gref, the CEO and chairman of the executive board of Sberbank. “We noticed that these were some new hackers, their handwriting is not known to us. That is, some new, very qualified criminals appeared on the market who began to systematically attack the largest Russian resources,”

Gref said that Sberbank faces about ten attacks per month, but threat actors have never breached the systems at the bank. However, Gref warns that its experts have noted that the attacks are becoming more sophisticated.

The cyber attack took down the website of the National Payment Card System (NSCP, card operator Mir) on October 30. The threat actors also defaced the website and posted a message there that they paid their partners with “customer personal data” from NSPK to do this work.

The website of the National Payment Card System (NSCP, card operator Mir) stopped working on October 30 as a result of a cyber attack. The hackers changed the external page of the site and posted a message there that they paid their partners with “customer personal data” from NSPK to do this work. The press agency Interfax reported that the card operator “Mir” denied the possibility of data leakage from the company’s website.

Stanislav Kuznetsov, deputy chairman of the bank’s board, reported that in May 2022 the bank was hit by another massive DDoS attack that peaked at 400 Gbps. The attack was launched through a botnet composed of more than 27000 infected devices, but it was successfully mitigated by the financial organization.

One of the most powerful attacks on Sberbank was observed in May last year, reported Stanislav Kuznetsov, deputy chairman of the bank’s board. The attack power reached more than 400 Gbps; malicious traffic was generated by a botnet consisting of more than 27 thousand devices. Then it did not affect the availability of bank services.

However the attacks that hit Sberbank are comparable with the ones that security firms recently observed and that relied on the novel HTTP/2 Rapid Reset technique.

In October, Google announced that it had observed a new series of massive DDoS attacks that reached a peak of 398 million requests per second (rps). The attacks relied on the novel HTTP/2 Rapid Reset technique, which is based on stream multiplexing that has affected multiple Internet infrastructure companies. 

Google states that the attacks using this zero-day technique started in late August and are still ongoing, targeting major infrastructure providers, including Google services, Google Cloud infrastructure, and its customers. Google pointed out it was able to mitigate the attack.

“Our investigation revealed that the attack was using a novel “Rapid Reset” technique that leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol. We provide further analysis of this new Rapid Reset technique and discuss the evolution of Layer 7 attacks in a companion blog.” reads the post published by Google.

The collective susceptibility to this attack is being tracked by the IT giant as CVE-2023-44487 (CVSS score of 7.5).

Amazon announced the mitigation of attacks using this technique and that reached 155 million requests per second (Amazon), while Claudflare observed attacks reaching 201 million rps.

“This attack was made possible by abusing some features of the HTTP/2 protocol and server implementation details (see  CVE-2023-44487 for details). Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack. This included every modern web server.” states Cloudflare.

The attack technique abuses HTTP/2’s stream cancellation feature. The attackers continuously send and cancel requests to the target server causing a DOS condition.

In HTTP/2 Rapid Reset attack, the client opens a large number of streams at once, but doesn’t wait for a response to each request stream from the server or proxy and cancels each request immediately.

Upon immediately resetting streams each connection can have an indefinite number of requests in flight.

Through deliberate request cancellations, the attacker guarantees that the maximum limit of concurrent open streams is never surpassed. As a result, the count of in-flight requests becomes solely contingent on the available network bandwidth, with the round-trip time (RTT) no longer exerting an influence.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

you might also like

leave a comment