
An Ongoing DDoS Campaign Targeting Sweden
NoName057 was among the first to respond, warning of a cyberattack on Sweden. NoName removed the websites of the Swedish Ministry of Finance and rail carrier SJ AB on 28 June. In the following days, known and unknown such as AnonymousSudan, Team 1919, Islamic Hacker Army, Host Kill Crew, USA NEXUS HACKER, Mysterious Team Bangladesh, KEP TEAM, UserSec Collective, Team Heroxr, Electronic Tigers Unit, Team R70, GANOSEC TEAM and Turkish Hack Team The hacker group carried out DDoS attacks on many websites of Sweden.
Indicators of Compromise
Hashes (146)
b22a89d74e687d438724afef529ff54cf03671cb00000ab418c53abe095fca6ba9c460a63c980435814f70edf4c9fccb16a91837e33c69056cf6b827c5ec6d9e93330f3139dc1e8121be396619d3ab2efa6a70387180e58f000000c1a823b0dbd22efbcb933b00e6d01fa62cfcb9a52d87e13948128f40a6000460b2c275914268bac3e063b1ed16beef417fa60ee564ada978edfae2cb32a19f4da62150c2e4a25cc47ccca16f650001efd7365502c22926de8489fd0a7a89b7fc2ecb51e26e682fe965d50f050d00002f5b34595f5814dd8557d6b6a56be8b09fe89c22008f82dd2c1d86293b845ff8b467d69f22d3119d2834cc1c0bbbb367b515b14ab697ad997e8acbcd59554d695b8fd948b538fb99a4157b17db47000473eb7dd933b5e08929643bac0f9f28d62633ea0f8a061f276703478af67aaa24ad12f53cfa81a839a1bab651cf56080c211c010396a9cece73e69a798a781dfc6f6c35e76239a35bfaf0b5a9ec65f8f5052243f5cbfba724aa9f428d7c6d33c52704bf8c8903ae633858a9ca073f6547369cce8c21c534386baade5485f6136415cc776c5c5f005b0dc899586caa44815bfe48ceaf1d00000a4a004c92576382a1ebd671de96e67a715c0ac0793aa7e3fa45b131e9580000198cb57a02f282e9298407d601a6be519773b6541f57d0a22eba00d369cd00000a2f3e178a4f2002ccf6b867365cbe25d43c92f64f1ac902baf9dce4146e+126 moreIPv4 (304)
5.182.39.11745.142.214.2395.182.39.212185.248.144.7494.131.102.13794.131.102.1085.182.37.2325.182.39.20594.131.102.8094.131.102.13245.142.214.24745.67.34.5594.131.102.12245.67.34.75.182.38.905.182.37.2055.182.38.18494.131.102.12745.67.34.6094.131.102.78+284 moreAPT Groups
TurkHackTeam
Turkey
Killnet
Russian Federation
Anonymous Sudan
Notes
<div><span style="font-size: 14px;"><b>NOTES</b></span></div><div><span style="font-size: 14px;">DDoS attacks can be incredibly damaging and devastating to your organization, so having an adequate incident response plan is vital. You can check out <a href="https://">SOCRadar's The DOS Resilience</a> against DDoS attacks.</span></div><div><br></div>
Mitigation
<div><span style="font-size: 14px;"><b><a href=" https://azure.microsoft.com/en-us/blog/business-as-usual-for-azure-customers-despite-24-tbps-ddos-attack/">How to Stop a DDoS Attack? (2023 Edition)</a></b></span></div><div><span style="font-size: 14px;">March 3, 2023</span></div><div><span style="font-size: 14px;"><b>What is a DDoS Attack?</b></span></div><div><span style="font-size: 14px;">A DDoS attack, also known as Distributed Denial of Service attack, is a type of web attack aiming to cripple a web system’s servers and make the servers unreachable to users. Web servers are typically designed according to the system’s estimated user count, process volume, and maximum number of instant requests. In a <a href="https://socradar.io/the-rising-threat-in-the-financial-industry-ddos-attacks/">DDoS attack</a>, the aim is to flood the server with requests from numerous devices far above the maximum process volume a server can handle; so that the server becomes temporarily unavailable, or in some cases, permanently.<a href="https://socradar.io/labs/soc-tools/ip-reputation">The DoS Resilience Service</a> allows you to check your domain's or subnet's resilience against DoS attacks such as slowloris attack</span></div><div><span style="font-size: 14px;"><br></span></div><div><span id="docs-internal-guid-5da4ea18-7fff-5a1a-62b1-b49e73ee1b30"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(96, 96, 128); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><span style="border:none;display:inline-block;overflow:hidden;width:624px;height:385px;"><img alt="A DDoS Attack Visualized" src="https://lh6.googleusercontent.com/LD5iMK9IlIoTc7O8ZB6eLurjJhKLGbtY-glGrsGj61UsjlPQ16yYBOuwVHZv84YgzP7zP5805npweLKDtGrGvIXGmPNOsrYdZz5OCfuVPBOL25ZlFV8DsczWlY3HwSfCE606dbMS7Kjbnhs_KIomXSs" width="624" style="margin-left:0px;margin-top:0px;"><b style="color: var(--q-dark); font-family: Roboto, -apple-system, " font-size: 14px;">DDoS Attack Visualized</b></span></span></span></div><div><div style=""><span style="font-size: 14px;"><b>DDoS Attack as a Growing Threat </b></span></div><div style=""><span style="font-size: 14px;">DDoS attacks have become more complex, volumetric, and frequent over the last decade than ever. Not only are they increasing in attack traffic volume, but they also threaten even small organizations. Internet Service Providers, as well as Cloud Providers, are reporting thousands of attacks every day. With the increasing usage of 5G technologies with billions of<a href="https://socradar.io/detecting-iot-devices-for-your-company/"> IoT devices</a>, the average volume of the attacks can be projected to grow. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>Botnets are Commonly Used in DDoS Attacks </b></span></div><div style=""><span style="font-size: 14px;">To load a web server with a high amount of requests, threat actors utilize botnets: networks consisting of enslaved devices controlled by the threat actor.<a href="https://"> Botnets</a> have various uses, such as crypto-mining, web crawling, and in our case, DDoS attacks. Since there are tens of thousands of compromised devices in some botnets, threat actors can easily exceed the maximum traffic a web server can handle and make the server inaccessible. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>Record-Breaking DDoS Attack </b></span></div><div style=""><span style="font-size: 14px;">In October 2021, Microsoft announced that one of its Azure customers in Europe had experienced a DDoS attack with an incredibly high attack volume. The attack volume was 2.4Tbps, breaking the highest volume DDoS attack record. The DDoS attack lasted for about 10 minutes. </span></div><div style=""><span style="font-size: 14px;">Microsoft also states that the attack came from about 70.000 devices located in Asia-Pacific. </span></div><div style=""><span style="font-size: 14px;"><a href="https://socradar.io/suites/cyber-threat-intelligence/threat-actor-tracking/">This example </a>of a DDoS attack shows us that threat actors utilize botnets to reach incredibly high attack volumes, resulting in hard to mitigate DDoS attacks. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><div style="font-size: 14px;">Source:<a href="https://"> https://azure.microsoft.com/en-us/blog/business-as-usual-for-azure-customers-despite-24-tbps-ddos-attack/</a></div><div style="font-size: 14px;"><br></div><div style=""><div style=""><span style="font-size: 14px;"><b>What are Types of DDoS Attacks? </b></span></div><div style=""><span style="font-size: 14px;">DDoS attacks can be divided into three main types.</span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span id="docs-internal-guid-64e3e215-7fff-3983-5f62-40cd379ec421"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(96, 96, 128); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><span style="border:none;display:inline-block;overflow:hidden;width:624px;height:321px;"><img alt="Three Types of DDoS Attacks " src="https://lh5.googleusercontent.com/VWjDulRJmUcvT2_JUDkk2PrrIeUDuwOff3KxZba4ftOe2_R53VmXyNTdipfhIV07_2_ivlnfAr_CooAweMg7qvIhHYQzc_Cjk-PK7T5p4yG-kUxzydTXq4oR_8WfD5z8w-FMrkbnF44wh6vt14HDGzI" width="624" style="margin-left:0px;margin-top:0px;"></span></span></span><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b><br></b></span></div><div style=""><div style="font-size: 14px;"><b>Three Types of DDoS Attacks </b></div><div style="font-size: 14px;"><b>Volume Based Attacks </b></div><div style="font-size: 14px;">Volume-based attacks target the network (3) layer and the OSI model’s transport (4) layer. </div><div style="font-size: 14px;">In a volume-based attack, the aim is to create extreme traffic to a server and exceed the bandwidth of the server. UDP floods and ICMP floods are counted as volume-based DDoS attacks. </div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><b>Application Layer (Layer 7) Attacks </b></div><div style="font-size: 14px;">As the name suggests, application-layer attacks target the seventh layer of the OSI model, the application layer. </div><div style=""><div style=""><span style="font-size: 14px;">In this attack type, the threat actor targets specific components of the highest layer. Since requests in this layer consume more server and network resources, application-layer attacks can be quite deadly and hard to mitigate. </span></div><div style=""><span style="font-size: 14px;">Application layer attacks are stealthier than other types of DDoS attacks since they resemble real web traffic. Examples of seventh layer attacks include HTTP GET and HTTP POST floods and low-and-slow attacks. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>Protocol Attacks </b></span></div><div style=""><span style="font-size: 14px;">The third main type of DDoS attack is called Protocol Attacks, also known as state-exhaustion attacks. The goal in these types of attacks is to consume the network resources of a server and exhaust additional network equipment such as firewalls and server load balancers. </span></div><div style=""><span style="font-size: 14px;">The most common attack in this category is the SYN Flood, and although they are deprecated and no longer pose a threat, Smurf AAttacks and Ping of Death attacks also fall into this category. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>Most Common DDoS Attack Vectors and Mitigation Methods </b></span></div><div style=""><span style="font-size: 14px;">UDP Flood </span></div><div style=""><span style="font-size: 14px;">According to Azure’s 2020 Q1 and Q2 DDoS reports, UDP Flood is the most common attack vector in DDoS attacks. </span></div><div style=""><span style="font-size: 14px;"><a href="https://azure.microsoft.com/en-us/blog/azure-ddos-protection-2021-q1-and-q2-ddos-attack-trends/">Source:</a></span></div><div style=""><span style="font-size: 14px;">https://azure.microsoft.com/en-us/blog/azure-ddos-protection-2021-q1-and-q2-ddos-attack-trends/</span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><div style="font-size: 14px;">The reason behind its popularity is that no connection is required while sending UDP (User Datagram Protocol) packages, and generating and sending UDP packages can easily be achieved through many programming languages. </div><div style="font-size: 14px;">This attack is a volume-based attack, and the goal is to overwhelm the server so that it cannot process incoming packages and respond to them. </div><div style="font-size: 14px;">Potential mitigation for the UDP Flood is that some servers set a maximum response rate to incoming packages. Even though this mitigation has downsides, such as legitimate traffic packages can be unanswered during a UDP Flood attack, it effectively protects the server against UDP Flood attacks and keeps network resources from running out. </div><div style="font-size: 14px;"><br></div><div style=""><div style=""><span style="font-size: 14px;"><b>SYN Flood </b></span></div><div style=""><span style="font-size: 14px;">Also known as TCP Flood or half-open attack, SYN Flood attack vector exploits the infrastructure of the three-way handshake principle. </span></div><div style=""><span style="font-size: 14px;">In a three-way handshake, the user sends an SYN package, and when the server receives the SYN package, the server sends an SYN-ACK package back to the user. After the SYN-ACK package, the user will send an ACK package to confirm the connection, and the three-way handshake protocol will be completed</span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span id="docs-internal-guid-9df0a0b6-7fff-7d44-5596-62744bc4bc26"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(96, 96, 128); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><span style="border:none;display:inline-block;overflow:hidden;width:624px;height:316px;"><img alt="Three-way Handshake " src="https://lh3.googleusercontent.com/eRpx3mUOCURK99HWUzukx9M1YTWPzDmEztaHKVMlMs-__oYEkcX-9BmIE40NrO2exhxJ5GPM9LYkmqJHSm8duwTnwp8FH-S_Nyb59Uoxz59VgeleIbLDWvim-fAjIYISbMN14PDGKlAL9gUboXoF2sw" width="624" style="margin-left:0px;margin-top:0px;"></span></span></span><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b><br></b></span></div><div style=""><div style="font-size: 14px;"><b>Three-way Handshake</b></div><div style="font-size: 14px;">During an SYN Flood attack, the threat actor will send SYN packages from numerous devices, but after all these devices receive SYN-ACK packages from the server, they will not respond. As a result, all these incomplete connections will take up memory in the server, denying new connections from being made.</div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><span id="docs-internal-guid-41b53461-7fff-bbba-63da-0daf96cd20eb"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(96, 96, 128); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><span style="border:none;display:inline-block;overflow:hidden;width:624px;height:292px;"><img alt="SYN Flood Attack " src="https://lh3.googleusercontent.com/5RSYi_-TBv8bJp-a7AA4GEGQF7Ky9hbJuP9Ln6DlDalfy29jPylwlH2fvUdIcQt09n4UZIMR3tWYztzLoAuJRZ-943RTCAXkB7dnPdpLKdmr_9iNdltNHwPgvFwZloOV190Mg8hc0Ty3TyR-xFThqZY" width="624" style="margin-left:0px;margin-top:0px;"></span></span></span><br></div><div style="font-size: 14px;"><br></div><div style=""><div style=""><span style="font-size: 14px;"><b>SYN Flood Attack </b></span></div><div style=""><span style="font-size: 14px;">To mitigate SYN Flood attacks, servers implement different techniques such as limiting the maximum number of half-open connections and reserving memory to increase the limit when required or overwriting the longest half-open connection with a new one when the maximum number of half-open connections is reached. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>ICMP (Ping) Flood </b></span></div><div style=""><span style="font-size: 14px;">ICMP (Internet Control Message Protocol)<b> </b>packages are packets that are primarily used for error messaging and generally do not convey data between the server and the client. </span></div><div style=""><span style="font-size: 14px;">Like the UDP Flood attack, ICMP Flood utilizes a high-volume DDoS tactic to interrupt the target server. The aim is to load the target server with ICMP packages in order to consume network and server resources. As a result, the server will be overwhelmed, and it will become unable to respond to legitimate traffic. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>HTTP Flood </b></span></div><div style=""><span style="font-size: 14px;">HTTP Flood attacks use HTTP GET and POST requests to flood the target server. </span></div><div style=""><span style="font-size: 14px;">Targeting the seventh layer of the OSI model, the HTTP Flood attack can be very dangerous since HTTP requests are legitimate traffic, so noticing and blocking an HTTP Flood attack is more challenging than other types of DDoS attacks. </span></div><div style=""><span style="font-size: 14px;">Like other DDoS attack vectors, the HTTP Flood attack aims to overwhelm the target server with packages and interrupt its operations. </span></div><div style=""><div style="font-size: 14px;">Since the number of different types of HTTP requests is limitless, this attack can be very simple to very complex, depending on the contents of the HTTP packages. </div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><b>Potential Impacts of DDoS Attacks </b></div><div style="font-size: 14px;">DDoS attacks could have many consequences for a company and might damage the company in different ways. </div><div style="font-size: 14px;">Some possible consequences of DDoS attacks are listed below. </div><div style="font-size: 14px;"><b>Money</b>: During a DDoS attack, the company’s servers will be down, unable to make a profit.</div><div style="font-size: 14px;"><b>Time</b>: Recovering from a DDoS attack could take hours, days, or even weeks. </div><div style="font-size: 14px;"><b>Reputation</b>: Being the subject of a DDoS attack could damage a company’s reputation in the client’s eyes. </div><div style="font-size: 14px;"><br></div><div style=""><div style=""><span style="font-size: 14px;"><b>How to Mitigate </b></span></div><div style=""><span style="font-size: 14px;">A layered and hybrid approach can help you mitigate DDoS attacks. Following is a list of technologies and providers to leverage to keep your internet-facing systems accessible and avoid business interruptions. </span></div><div style=""><span style="font-size: 14px;"><b>Internet Service Providers (</b>ISPs): ISPs limit the network bandwidth of your servers to stop DDoS attacks. If a large amount of traffic is detected, ISPs block all incoming traffic quickly. Even though the server is unreachable during the attack, there is no aftermath of the attack because the DDoS attack never actually happened. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>Content delivery networks (CDNs)</b>: Content delivery networks are networks of servers scattered worldwide aiming to distribute the load off an original server. CDNs can handle high volumes of traffic and help companies mitigate DDoS attacks. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><span style="font-size: 14px;"><b>Web application firewalls (WAFs</b>): Web application firewalls filter and monitor HTTP requests of a server, and they provide effective mitigations against Application layer (Layer 7) attacks. </span></div><div style=""><span style="font-size: 14px;"><br></span></div><div style=""><div style="font-size: 14px;"><b>Cloud Scrubbing Centers (CSCs)</b>: Cloud scrubbing centers operate in the external layer, and they are responsible for filtering and cleansing the incoming traffic before it reaches the target server.</div><div style="font-size: 14px;"><b><br></b></div><div style="font-size: 14px;"><b>On-premises appliances</b>: On-premises appliance solutions offer advanced protection against DDoS attacks designed to bypass security solutions operating in the external layer. </div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><b>DNS protection:</b> DNS protection solutions also filter and monitor incoming queries and detect malicious DDoS packets to protect servers from DDoS attacks. </div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><span style="color: var(--q-dark);"><b>Native cloud providers: </b>Native cloud providers offer cloud-based servers with high traffic handling capabilities and accelerated traffic features. Popular cloud providers such as Cloudflare states that cloud providers provide effective solutions against DDoS attacks. </span></div><div style="font-size: 14px;"><span style="color: var(--q-dark);"><br></span></div><div style=""><div style=""><span style="font-size: 14px;">These technologies can be categorized into three layers: </span></div><div style=""><span style="font-size: 14px;"><b>The external layer </b>consists of cloud scrubbing centers, content delivery networks, DNS protection solutions, and Internet service provider services. The external layer is responsible for handling, monitoring, and filtering the incoming traffic before it reaches the main servers. </span></div><div style=""><span style="font-size: 14px;"><b>The perimeter layer </b>is specific to on-premises solutions. The security solutions in this layer provide extensive protection against DDoS attacks able to circumvent the external layer of your network. </span></div><div style=""><span style="font-size: 14px;"><b>The internal layer </b>consists of WAFs inside your network. It offers protection against application layer (Layer 7) attacks by filtering HTTP GET/POST requests aiming to exploit specific components of your servers. </span></div><div style="color: var(--q-dark); font-size: 14px;"><br></div></div></div></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><br></div></div></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><br></div></div></div></div></div><div style="font-size: 14px;"><br></div></div></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><br></div></div><div style="font-size: 14px;"><br></div></div>