Your SlideShare is downloading. ×
0
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
#OperationAbabil: The Never Ending Attack on US Banks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

#OperationAbabil: The Never Ending Attack on US Banks

824

Published on

At GovernmentWare 2013 (GovWare) in Singapore, Radware Emergency Response Team (ERT) leader Ziv Gadot shared this presentation on the long-running cyberattack, Operation Ababil. Learn more about the …

At GovernmentWare 2013 (GovWare) in Singapore, Radware Emergency Response Team (ERT) leader Ziv Gadot shared this presentation on the long-running cyberattack, Operation Ababil. Learn more about the history and origins, the list of financial targets and the four unique phases of these attacks. For more on Radware security and the ERT, visit http://security.radware.com

Published in: Technology, News & Politics
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
824
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Paypal, visa – was easy to catch the volnteers (no really inner cycle)
  • Transcript

    • 1. #Operation Ababil The Never-ending Attack on US Banks Ziv Gadot SOC/ERT Group Leader Radware
    • 2. Origination & History Case Study Conclusions
    • 3. Origination & History
    • 4. “Innocence of Muslim” Movie Trailer 4 July 12th 2012 “Innocence of Muslims” trailer released on YouTube Sep 11th 2012 World wide protest against the movie resulting the death of 50 people
    • 5. Operation Ababil 5 Sep 18th 2012 Operation Ababil Begins The cyber attack is an act to stop the movie First targets: • Bank of America • NYSE Group name: “Izz ad-din Al qassam cyber fighters”
    • 6. Attack Span 6 Q4 - 2012 Q1 - 2013 Q3 -2013Q2 - 2013 Sep 18th , 2012 Operation Ababil Begins (Phase I) 6 weeks Q3 - 2012 Dec 10th, 2012 Phase II 7 weeks Mar 5th , 2013 Phase III 8 weeks July 23th ,2013 Phase IV 8 weeks July 12th 2012 Innocence of Muslim Sep 11th 2012 Physical Protests
    • 7. Target List 7 Major banks hit with biggest cyberattacks in history – CNN Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions – Informationweek Phase3/W4 Operation Ababil - pastebin.com Hacktivists Suspend DDoS Attacks - bankinfosecurity.com
    • 8. Insult Formula – Phase IV 8 Phase 4 will take 8 weeks “Based on the formula which is approved for paying, the united states must still pay because of the insult” http://pastebin.com/22WJ6m9U
    • 9. Servers Enlisted to Launch the Attack 9 OpAbabil Introduces ‘Server-based Botnets’ Advantages • Firepower • Reliability • Control 'itsoknoproblembro' is a general purpose PHP script injected into the servers allowing the attacker to upload and execute arbitrary Perl scripts
    • 10. Case Study
    • 11. Case Study Background • A large US bank • The attacks started since October 2012 • The bank had already invested in anti-ddos solution – Both ISP provided this service • While most Network (UDP, ICMP and SYN floods) were mitigated, the Application (HTTP, HTTPS) attacks passed • Outage occur on daily basis – IT department was frustrated and exhausted • At this point our Emergency Response Team joined in, and we got visibility into the attack patterns 11
    • 12. Attack Vectors • Network Level Attacks – UDP – ICMP – SYN Flood • Application Level Attacks – HTTP attacks • URL Attacks • Search Page – HTTPS • TLS/SSL Negotiation Attacks • Login Page DoS – Bypassing Mitigation Challenges 12
    • 13. TLS/SSL Negotiation Attacks
    • 14. TLS/SSL Negotiation Attacks 14
    • 15. Login Page DoS
    • 16. Login Page DoS • The Login Page is a critical resource – Usually the first HTTPS transaction – No user is identified yet – No Load-Balancing yet • The attacker clearly used malformed usernames • Attempts to block this usernames with a signature caused the attacks to change the usernames 16
    • 17. Bypassing Mitigation Challenges
    • 18. Challenge Technology • HTTP Challenges – 302 Redirect + Cookie – JavaScript 18 Existing JavaScript <html> <body> <script> document.cookie='eeeeeee=ff85bb7eeeeeeee_f f85bb7e; path=/';window.location.href=window.locati on.href; </script></body></html>
    • 19. Attacker Pass JavaScript Challenge 19 } if(preg_match("/"(.*)"/",$cookie,$var_val)){ if(!preg_match("/'/",$var_val[1]) || preg_match("/"/",$var_val[1])){ $cookies[] = trim($var_val[1]); } } } } if(preg_match_all('/document.cookie[^=]*=([^;]*);/i',$co ntent,$setcookie)){ foreach($setcookie[1] as $cookie){ if(preg_match("/'(.*)'/",$cookie,$var_val)){ if(!preg_match("/'/",$var_val[1]) || preg_match("/"/",$var_val[1])){ $cookies[] = trim($var_val[1]); } } if(preg_match("/"(.*)"/",$cookie,$var_val)){ if(!preg_match("/'/",$var_val[1]) || preg_match("/"/",$var_val[1])){ $cookies[] = trim($var_val[1]); } } } April 2013 Attacker passes DefensePro JavaScript challenge Attack Script ‘OutFlare’ Malware Feb 2013 ‘OutFlare’ malware passes CloudFlare challenge mechanism
    • 20. Short Term (Hot Fix) 20 Existing JavaScript <html> <body> <script> document.cookie='eeeeeee=ff85bb7eeeeeeee_f f85bb7e; path=/';window.location.href=window.locati on.href; </script></body></html> Alternative JavaScript <html> <body> <script> var n_d8ey="fffffff",eq_1="="; var hi_2a="324fd333"; var hi_3="yyyyyyy"; var Qr789_a33="_",Z1_792="qqq"; var hZi_sd1="qqqq"; function JSRa23nd_1() { return hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi _sd1+Qr789_a33+hi_2a; } //document.cookieee("yyyyyyy=3HH133d 7yyyyyyy_3HH133d7") var cRokie1_78=JSRa23nd_1(); document.cookie='cRokie1_78; path=/';window.location.href=window. location.href; </script></body></html>
    • 21. Long Term 21 Existing JavaScript <html> <body> <script> document.cookie='eeeeeee=ff 85bb7eeeeeeee_ff85bb7e; path=/';window.location.hre f=window.location.href; </script></body></html> Polymorphic JavaScript <html> <body> <script> var n_d8ey="fffffff",eq_1="="; var hi_2a="324fd333"; var hi_3="yyyyyyy"; var Qr789_a33="_",Z1_792="qqq"; var hZi_sd1="qqqq"; function JSRa23nd_1() { return hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi_sd1+Qr789_a33+hi_2a; … Polymorphic JavaScript <html> <body> <script> var n_d8ey="fffffff",eq_1="="; var hi_2a="324fd333"; var hi_3="yyyyyyy"; var Qr789_a33="_",Z1_792="qqq"; var hZi_sd1="qqqq"; function JSRa23nd_1() { return hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi _sd1+Qr789_a33+hi_2a; } //document.cookieee("yyyyyyy=3HH133d 7yyyyyyy_3HH133d7") var cRokie1_78=JSRa23nd_1(); document.cookie='cRokie1_78; path=/';window.location.href=window. location.href; </script></body></html> Existing JavaScript <html> <body> <script> document.cookie='eeeeeee=ff 85bb7eeeeeeee_ff85bb7e; path=/';window.location.hre f=window.location.href; </script></body></html> Obfuscated JavaScript eval(function(p,a,c,k,e,d ){e=function(c){return c.toString(36)};if(!''.re place(/^/,String)){while( c){d[c.toString(a)]=k[c]| |c.toString(a)}k=[fun Combination Produce challenges that are virtually impossible to cheat
    • 22. Conclusions
    • 23. Attack Becomes more Advance and Persistent (APT) Slide 23 Operation Ababil 2012-2013 •Duration: Over an Year • At least 20 Attack Vectors •Sophistication level = HighAPT Score •OpIsrael 2012 • Duration: 6 Days • 5 Attack vectors • Sophistication level = Med Operation Payback 2010 •Duration: 3 Days • 4 Attack vectors • Sophistication level = Med Time Operation Vatican Duration: 20 Days • 7 Attack vectors • Sophistication level = Med 10
    • 24. Summary • Operation Ababil is the single biggest DDoS Attack in History – Attackers demonstrated their capabilities • Duration • Find blind spots in mitigation • Bypass mitigation techniques during the campaign • Most of the victims had already budget well anti-DDoS solution – CPE based solutions did not handle pipe saturation – Cloud-based solutions are not designed for long attacks – ISP based solution did not handle Application attacks well • How can such attack be stopped? 24
    • 25. DoS & DDoS Mitigation History • 2010 – Nobody cared about DoS & DDoS • 2011 – All you needed to do is to buy proper anti-DoS Solution • 2012 – Acquire ability to fight back during the attack – Acquire Response Team on your side • 2013 – Build an Anti-DoS Architecture! 25
    • 26. Anti-DoS Architecture 26 Protected Organization • 85% of the attacks can be mitigated at organization perimeter • Allows maximal visibility and control of the attack On-Premise Protection Application Attacks Scrubbing Center Extremely Sophisticated Attacks should be mitigated by in the Cloud using its agility but only when needed Response Team Network Attacks (Volumetric) Scrubbing Center Today APT attacks requires not only machines but also human experts on your side Network (Volumetric) attack should be mitigated in the cloud to protect the pipe but only when needed
    • 27. Q&A
    • 28. Thank You www.radware.com For More on Radware Security and our Emergency Response Team, visit: http://security.radware.com

    ×