Cyber security firm Darkscope is trying to fill in the blanks on the massive denial of service attack on New Zealand's stock exchange (NZX) over the past few days.
Distributed denial of service attacks, with ransom demands, are occurring more frequently, lasting longer and are more complex than in the past, the Wellington-based company said.
They include new attack vectors which can defeat existing defensive systems typically deployed to reroute and stop them.
Attacks credited to the Russian cyber espionage group “Fancy Bear" demanded a bitcoin ransom prior to the attack being launched, a ransom that increased daily.
The attackers typically initiated a small half-hour attack ranging from 40 to 60 Gbit/s, on a specifically chosen IP address belonging to the victim’s network.
"One main difference with these attacks is that they are not aimed at the organisation’s homepage, but target areas in the corporate IT infrastructure which are often inadequately protected," Darkscope said.
"These include original IP addresses and internal servers. Because of this targeting, companies can be defenceless against the attacks even if they have implemented DDoS protection, as we have seen with NZX."
Attacks have since spread to target media organisations, TSB Bank and MetService, which has gone offline intermittently with users being redirected to a backup site delivering safety critical information.
The attackers are using at least eight vectors to launch DDoS attacks and amplify the disruption, including two relatively new ones, Web Service Dynamic Discovery (WSD) and Apple's Remote Management Service (ARMS).
WSD as a DDOS attack vector has only been known about since the beginning of 2019. General awareness of its effect was not understood until thee third quarter of 2019 when details emerged that the attackers had employed this new attack vector into their toolkit.
When implemented the two vectors can amplify the intensity of the attack up to 35 times.
Other vectors include Simple Service Discovery Protocol (SSDP), Network Time Protocol (NTP), Domain Name System (DNS), Lightweight Directory Access Protocol (CLDAP), SYN and Internet Control Message Protocol (ICMP).
"When all eight vectors are deployed together, the attack is very difficult to stop even with the best defensive systems, as we have seen with the attacks on the NZX," Darkscope said.
It was unclear whether the attacks on the NZX, Stuff and Radio NZ sites were from Fancy Bear, the company said.
"In fact, it is unlikely as these attacks do not match Fancy Bear's typical behaviour. To date, the attacked organisations and the GCSB are silent on whether ransoms have been demanded or paid."
The NZX succumbed to the attacks again today, but for a much shorter period than previously, before recovering.
Darkscope said its experience through daily monitoring millions of internet sites and dark web activity was that these types of attack were often geographically clustered.
"We see similar attacks occurring and recurring in one country before moving to the next. What is clear is that this new form of attack is being targeted at New Zealand organisations and we should expect this to continue for some time to come."