Increase in Chinese "Hacktivism" Attacks
With the US Speaker of the House, Nancy Pelosi, approaching an unusually high-level visit to China, various reports indicate an increase in military saber-rattling and a ramp-up of attacks against networks in Taiwan and the US.
So far, we have more anecdotal evidence vs. "real data." But some of the initial indicators we have seen:
- A slight increase in scans for "nuisance vulnerabilities" like Word Press from Chinese consumer IP addresses.
- Reports of small/medium application-specific DDoS attacks similar to what our site has seen starting Friday
- A small (not quite significant based on preliminary data) increase in ssh scanning from Chinese consumer IP addresses.
Chinese hacktivists have a history of picking up on government sentiment communicated in local news reports [1]. They will often show their patriotism by attacking various "unfriendly" websites. The targets are often somewhat random, and the attacks are not coordinated. But even a home user with a small botnet can harness significant "firepower" to take down many websites without dedicated DDoS protection. And, of course, sometimes they get lucky scanning for simple vulnerabilities. If a few million (probably more than a few thousand) "kids" are brute forcing passwords, they may just get lucky and find one.
What do you need to do?
Not much at this point. Monitor and be ready for a DDoS attack. In particular, if your website or company has a higher profile in China or is associated with the US government (this includes contractors, related organizations, and news sites reporting about the visit).
For example, the Taiwan president's website experienced a DDoS attack of approximately 200 times the regular traffic [2]. I do not consider this a "huge" attack and something likely within the capabilities of a few hacktivists getting together. A more organized "government-sponsored" DDoS attack would likely involve tools like "Great Cannon" (sometimes also called red-ion-cannon) that can harness a much larger attack power [3].
Please use our "contact us" form to report any attacks you are seeing.
[1] https://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=1413&context=etd
[2] https://m.facebook.com/story.php?story_fbid=pfbid0oetXRVEQ2dj7Vd1kTzC32FhdMLdyuoQJAYf6baYJDghKKVCBMERfUgXhP72U4obVl&id=100044311095166&m_entstream_source=timeline
[3] https://citizenlab.ca/2015/04/chinas-great-cannon/
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
A Little DDoS in the Morning - Followup
I love it when people read and learn from what I am writing here. And it looks like whoever is behind the little DDoS from Friday did just that. I removed our filters yesterday after the attack stopped, and today see similar traffic ... but... now with different user agents ;-). At this point, the traffic isn't causing any performance issues, so I will let them go for now.
Here is a small sample of user agents involved. The disadvantage for them is now that some of these User-Agents are so unusual that they again easily stick out. The source IPs are still all Chinese. FWIW: I got some questions if the source IPs could be spoofed: No. They are sending complete HTTP requests, so they are not spoofed. But they could be some kind of proxy on compromised machines/devices.
Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36
Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)
I feel like this will become a little series of posts.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments