Cybereason and Aon Collaborate to Prevent Cyber Attacks
Cybereason is partnering with Aon, a leading global professional services firm, in an alliance to help protect clients from sophisticated cyber attacks...
Cybereason Team
Cybereason's security team on Thursday discovered that the memcached servers used in the largest DDoS attack to date are including a ransom note in the payload. If DDoS amplification attacks weren't enough of a threat, attackers have made this technique even more potent by adding an extortion component.
The attackers wanted to get their message across: they dedicated a gigabyte of data to the ransom note, which instructs victims to pay 50 XMR (XMR is the ticker symbol for the Monero cryptocurrency), is included in a line of Python code and repeats many times. As of this writing, 50 XMR equals approximately $15,000. Like all currencies, the Monero exchange rate fluctuates so the amount of money victims have to pay can change.
If any organizations have paid the ransom is unknown. Unlike bitcoin transactions, Monero transactions aren't displayed publicly so there's no way to see if funds have been transferred to the attacker’s Monero address.
This video shows how Cybereason’s security team discovered the ransom note, which is highlighted:
Not to spread FUD, but the potential impact of DDoS amplification attacks is huge. Researchers have found that this technique can increase bandwidth amplification by a factor of at least 50,000 and estimate that as of November 2017 there are at least 60,000 memcached servers that can be used.
Here’s another example to show the magnitude of this attack. According to engineers at GitHub, which was knocked offline by the attack, the initial wave of the attack peaked at 1.35Tbps. Previously, the largest DDoS attack registered 1.1Tbps.
While GitHub’s site issues lasted for around nine minutes, using a short attack to quickly knock companies offline can greatly benefit attackers. If sites can be taken down in such a brief amount of time, companies could be more inclined to pay the ransom (assuming it remains reasonable) instead of dealing with the more substantial fallout from a longer amplification DDoS attack.
The attackers and defenders are likely to engage in an arms race in the coming weeks with the bad guys looking to use this technique against companies while the good guys figure out how to mitigate this threat. Organizations using memcached servers should disable their UDP port and place these servers on private networks behind firewalls.
Cybereason is dedicated to partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides predictive prevention, detection and response that is undefeated against modern ransomware and advanced attack techniques. The Cybereason MalOp™ instantly delivers context-rich attack intelligence across every affected device, user and system with unparalleled speed and accuracy. Cybereason turns threat data into actionable decisions at the speed of business.
All Posts by Cybereason TeamCybereason is partnering with Aon, a leading global professional services firm, in an alliance to help protect clients from sophisticated cyber attacks...
Join us for this live webinar as we delve into new research findings about the risk to organizations from ransomware attacks that occur on weekends and holidays and how you can better prepare to defend against them...
Cybereason is partnering with Aon, a leading global professional services firm, in an alliance to help protect clients from sophisticated cyber attacks...
Join us for this live webinar as we delve into new research findings about the risk to organizations from ransomware attacks that occur on weekends and holidays and how you can better prepare to defend against them...
Get the latest research, expert insights, and security industry news.
Subscribe