Link11: A cybercrime group is claiming to be Fancy Bear APT to blackmail companies on the threat of DDoS attacks. They ask a ransom of 2 Bitcoin to not hit the victim
A cybercrime group is claiming to be Fancy Bear APT to blackmail companies on the threat of DDoS attacks. It has been discovered by the Link11 cyber security experts. The company Security Operation Center is warning organizations about the DDoS attacks launched by these perpetrators, which primarily target the Origin infrastructure of the companies. Since mid-October, companies targeted in this extortion campaign receive emails saying: “We are the Fancy Bear and we have chosen XXX as target for our next DDoS attack.” While the perpetrator or perpetrators claim to be from Fancy Bear, they have little in common with the Russian hacker group. he blackmailers are directing their extortion attempts again organizations in the payment, entertainment and retail sectors. They demands ‘protection money’ of 2 Bitcoin (equivalent to approx. 14,200 euros, as of 23 October 2019), and if payment is not received.
The cyber security experts: They’re not the APT, but don’t bluff when they warn attacks of up to 60 Gbps
According to the cyber security experts, to convince victims the fake Fancy Bear launches an initial warning attack, and warns victims that they have between 2 and 4 days to pay the protection money. If no payment is received at the specified Bitcoin address, another attack is launched at the victim. The extortion e-mails contain victim-specific Bitcoin addresses and wording which is closely linked to the protection money demands of DDoS blackmailers from spring 2016. Under the name Kadyrovtsy, they had attacked several banks and online marketing companies. Unlike many DDoS blackmail imitators, those cybercrime crooks don’t bluff. They warn attacks of up to 60 Gbps. In the long-lasting demo attacks, they use not only the well-known reflection amplification vectors DNS, NTP and CLDAP. But also two new attack techniques: WS Discovery and Apple Remote Control.
These DDoS cyber attacks are not aimed at the target organization’s homepage, but at areas in the corporate IT infrastructure which are often inadequately protected
Moreover, according to Link11, a notable feature of these DDoS cyber attacks is that they are not aimed at the target organization’s homepage, but at areas in the corporate IT infrastructure which are often inadequately protected. These include, for example, original IP addresses and original servers. Even if companies have implemented DDoS protection, they can be defenceless against the attacks. Only a Site Shield prevents direct access to the company’s Origin infrastructure and protects the origin of websites and applications from overload by DDoS attacks.