The IT Nerd

Hackers acting on behalf of Russia have taken aim at US Airports by launching a massive Distributed Denial Of Service attack on them. Bleeping Computer has the details:

The pro-Russian hacktivist group ‘KillNet’ is claiming large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S., making them unaccessible.

The DDoS attacks have overwhelmed the servers hosting these sites with garbage requests, making it impossible for travelers to connect and get updates about their scheduled flights or book airport services.

Notable examples of airport websites that are currently unavailable include the Hartsfield-Jackson Atlanta International Airport (ATL), one of the country’s larger air traffic hubs, and the Los Angeles International Airport (LAX), which is intermittently offline or very slow to respond.

Clearly these hackers are not likely happy about the actions that the US among other countries have taken against Russia’s invasion of Ukraine. Thus they’re taking this action. While this wasn’t a long lasting attack, it does send a message.

I have commentary from several industry experts on this:

Gary Kinghorn, Senior Director at Nozomi Networks: Fortunately, the DDoS attacks were not particularly damaging or long lasting. Most of the major airports appeared to be responding normally to new connection requests without delay by early to mid-morning. DDoS attacks are not targeted attacks that exploit a specific vulnerability, but generally just overwhelm a site’s ability to respond with an enormous amount of traffic from a large number of distributed clients. There are many types of DDoS attacks that can seek to exploit different aspects of the client-server connection request protocol. This attack appears to be a SYN flood, where there are a large number of connection requests that never complete and leave the target web site resources used on incomplete connections that delay response to legitimate users. It does not appear that a deeper exploit was executed that took advantage of known vulnerabilities in higher levels of the OSI protocol stack, hopefully because most of these sites are well-patched and defend against most sophisticated DDoS attacks. It’s hard to defend against DDoS attacks because every web site that is open to all users can be overwhelmed with a traffic spike of valid connection requests until you can identify and filter out a range of IP sources or expand capacity or bandwidth for the target site. CISA has an excellent Quick Guide that explains best practices for managing DDoS attacks and good site hygiene to make sure sites are not vulnerable to more sophisticated attacks using various IP protocols: https://www.cisa.gov/uscert/security-publications/DDoS-Quick-Guide

Michael Hamilton, Founder, President, and CISO of Critical Insight, formerly Critical Informatics and CI Security: All websites are vulnerable to distributed denial of service. This type of attack can be conducted by nearly anyone, and especially if there are many “volunteers” that operate DOS tools from their computers or phones. The attack itself is essentially an annoyance, perpetrated by reasonably unsophisticated actors. Services such as Cloudflare proxy inbound traffic and have detection analytics for denial of service attacks, which they null-route to protect customer sites and that does a good job of mitigating these attacks. However, the Russian volunteers are not without skilled cyber actors and it may only be a question of time before more sophisticated attacks are leveled at infrastructure. Security teams should track this group in terms of the techniques and procedures used to estimate what sectors are being targeted with what techniques, and then apply controls commensurate with the threat.

Yotam Perkal, Director, Vulnerability Research at Rezilion: So far from what I’ve been able to gather, the important thing to note here is that the affected targets are the airport websites which had no operational impact on the airports themselves. I haven’t been able to find any technical information about the attack method, but it doesn’t seem a specific vulnerability was exploited. In these types of DDoS attacks the attackers simply issue a significantly large amount of traffic from multiple locations directed at the website under attack until it (or the hosting service it uses) cannot handle the load and it becomes unavailable.

Chris Grove, Director, Cyber Security Strategy at Nozomi Networks: Before we get into the specifics of the cyber-attack, I need to recognize and give kudos to CISA for issuing Alert AA22-110A just 6 months ago, which called this hacker group out by name, described their tactics typically used, then warned of similar upcoming attacks after they DDOS’d Bradley airport in March. Today’s attack is evidence of the importance of collaborative approaches to cybersecurity, and heeding warnings that come from those in the know. It’s fortunate that the operations of these airports weren’t impacted, but assuredly that will change in the future as the assailants attempt more brazen attacks with larger impact. As we’ve learned from mitigating years of attacks from other cyber activists, like Anonymous, these campaigns don’t last long (this airport attack was part of a 1 week campaign), are mostly confined to DDOS attacks, with an occasional data leakage if the hackers were able to breach the defenses. Like a storm, this too will pass. For the air industry there will be other attacks as the Ukraine situation escalates, so although this campaign is only 1 week long, defenders should remain at a high state of alert, and continue developing 360-degree situational awareness of their operations.

Frank Catucci, Chief Technology Officer and Head of Security Research at Invicti: If airlines are being targeted by DDoS, it is more than likely their web presence is also being targeted by the same attackers. There are many avenues to a denial of service, so continuously testing for web vulnerabilities and remediating any issues is crucial to minimize the overall attack surface. While DDoS attacks are mainly intended to render systems unresponsive and deny service to users, they are also used to slow systems down in preparation for further attacks, including SQL injection.

I think it’s a safe bet that there will be more of this given that this invasion of Ukraine continues along with the sanctions that countries have imposed on Russia. Thus everyone needs to prepare for this to happen again, and again.

UPDATE: I have additional commentary from Craig Burland, CISO of Inversion6:

“This malicious call to action is a great example of why organizations need to be ever-vigilant in their cybersecurity operations. A focus on cybersecurity isn’t only for when the auditor is coming or after a breach. It’s a 24x7x365 responsibility that we must all own and embrace. We don’t take days off from things like workplace safety or legal due diligence. Cybersecurity is no different especially as we collectively face organizations like Killnet.”

When companies ask me to do a security assessment, one of the things I ask them is how many disgruntled employees they have and what do they do to mitigate the threat that they pose. A lot of them don’t do nearly enough, and this is an example of what happens if you’re one of those people.

Casey K. Umetsu, aged 40, worked as a sysadmin for a high-profile financial company in Hawaii. Until he got laid off. Hoping to get his job back he launched a scheme to disrupt the operations of his former employer, and then ride in and save the day and cash in at the same time. But instead of getting his job back, he got caught and here’s what happened next:

As part of his guilty plea, Umetsu admitted that, shortly after severing all ties with the company, he accessed a website the company used to manage its internet domain. After using his former employer’s credentials to access the company’s configuration settings on that website, Umetsu made numerous changes, including purposefully misdirecting web and email traffic to computers unaffiliated with the company, thereby incapacitating the company’s web presence and email. Umetsu then prolonged the outage for several days by taking a variety of steps to keep the company locked out of the website. Umetsu admitted he caused the damage as part of a scheme to convince the company it should hire him back at a higher salary.

“Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” said U.S. Attorney Clare E. Connors. “Those who compromise the security of a computer network – whether government, business, or personal – will be investigated and prosecuted, including technology personnel whose access was granted by the victim.”

“This is a great example of a company partnering, and working with the FBI, to catch a former employee who sabotaged their network for their own personal gain,” said FBI Special Agent in Charge Steven Merrill. “We encourage companies to include the FBI as part of their cybersecurity incident plan so we can assist when they have a cyber incident.”

This is a textbook example of why you need to terminate all access to any company resource the second you fire someone. And I do mean the second you fire someone. This financial services company didn’t do that, and it cost them. While they reported it and the feds were able to hunt this guy down, this didn’t have to happen. Thus I would take this as a cautionary tale and make sure that you have processes and procedures in place to make sure that this doesn’t happen to you.