Pierluigi Paganini October 20, 2014

Operation Distributed Dragons – Tiger Security firm has discovered a series of DDoS attacks from China and that appear as run by a structured organization.

Security experts at the Italian Tiger Security firm have spotted a new wave of DDoS attacks that were originated in China and that appear as run by well organized APT. The expert identified the operation with the codename “Operation Distributed Dragons”, the threat actors behind the attacks have the capability to evolve its techniques, tactics, and procedures (TTPs).

As explained by the researchers the methods of infection continuously changes, while it is expanding the perimeter of their physical infrastructure.

The bad actors initially targeted Linux servers, but the attacks also involved Windows machines and embedded device with ARM architecture (e.g. Routers and IP cams), in this way the hackers are able to run DDoS attacks that reach traffic peaks of more than 200 Gb/s, without the use of amplification techniques.

The Operation Distributed Dragons has already targeted thousand of machines worldwide, Canada, The Netherlands, Hungary and Germany are the countries hosting these greatest number of compromised PCs.

Attacks belonging to the Operation Distributed Dragons are still ongoing and according to the experts the number of new infected machines by the dab actors is increasing rapidly.

“The end targets of the campaign are several and range significantly across sectors and include ISPs, Cloud Storage companies and players in leisure and gaming industry.”states the report issued by Tiger Security on the Operation Distributed Dragons.

The attack chain is composed of three main steps:

• Reconnaissance:  A range of IP addresses is scanned by the attackers searching for vulnerable systems. The bad actors used “brute force” attacks to compromise the machines exploiting several kinds of flaw, including weak login credentials and out-of-date versions of products.
• Malware infection: Threat actors infect the machine, recruiting it as part of a botnet controlled by a series of  Command and Control (C&C) Servers detected by the researchers.  The C&C servers were distributed in many countries, including Cina, South Korea, United States, Indonesia, Russia, Germany, Brazil, France and so on.

• Fire: Bot agents run the DDoS attack. The expert noticed several types of attacks, including SYN Flood, DNS Flood, UDP Flood and ICMP Flood.

The experts revealed that in many cases DDoS attacks were scheduled at 9pm Beijing time and last for approximately 3 hours with peaks of traffic, even without amplification.

The threat actors are specializing their activity on systems and applications that are not subject to continuous checks, updates and upgrades by the administrators and for this reason that are more vulnerable to such kind of attack.

Reading the technical details from the report it is possible to note that the threat actor used different backdoor for various websites, including some of the Chinese Government.

“These backdoor, ready to be used via web shells – including the famous “China Chopper”, have been inserted by exploiting vulnerabilities, including 0-day type, like the case of dedecms.” states the document.

In the following table is reported the list of the vulnerabilities exploited by attackers split by service:

Who is behind the attacks?

“The objectives of the whole operation, at least at this stage of investigation, seem to be quite inconsistent. In addition, victims appear significantly far apart in terms of business model, sectors and interests. All this seems to suggest that the wave of attacks has been driven by mere economic reasons: this conclusion, if proven wright, seems to support the thesis that cyber-criminals provide a “service” to their “clients” against some sort of reward, probably financial, and can be hired to pursue the specific objectives of their “clients”, as it would happen in any legitimate business.” states the document highlighting the financial nature of the attacks.

I have contacted Emanuele Gentili – CoFounder & Partner, Chief Executive Officer of Tiger security to request more info on the operation.

Q: The threat actor behind the Operation Distributed Dragons has used public available exploits obtaining a 200 Gbits DDoS. Which is your point of view on these types of emerging threats? 

A: Poorly configured machines advantage infections on a large scale, which allow attackers to compose powerful botnet. Very interesting is the extension of the attacks to the Internet of Things devices that lack of effective security settings.

Q: You have highlighted previously unpublished references about the tools used by the cyber criminal group behind the Operation Distributed Dragons. Several software used for the C&C appear very different each other despite the malware they control are identical, which is the reason of such differentiation? 
 
A: From our research, we believe that the various software created and used as C&C are the result of continuous improvement over the time. Many control panels appear minimal, other far more advanced in terms of functionality. One of these C&C includes also sophisticated features like a builder for the delivery of infections and the time scheduling of attacks. 

Give a look to the report issued by Tiger Security on the Operation Distributed Dragons, it is full of interesting details regarding their investigation.

Pierluigi Paganini

(Security Affairs – Operation Distributed Dragons,cybercrime)