|Category: Adversary Intelligence||Industry: Multiple||Motivation: Financial||Region: Global||Source*: F3|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a stress testing service that can be used for websites/servers.
- The post mentions the list of arguments differentiating this service from their competitors:
- Technical support is always available
- Convenient auto-pay system
- Looking to improve methods daily
- Stress Testing is a software testing activity that determines the robustness of software by testing beyond its limits of normal operation. This is to ensure that software can run anywhere, with fewer preset requirements, and under any condition.
- Directing heavy and simulated traffic on domains as part of the testing process can give an idea of how long it can endure the request load, before collapsing.
- Cloudflare provides DDoS protection services for websites capable of withstanding heavy traffic directed to them via botnets operated by cybercriminals or dedicated servers.
- It is a DDoS-for-hire platform, where an attacker can launch DDoS attacks on websites that are unauthorized in nature.
- It is an online service platform, with no installations required.
- Supports both Layer 4 and Layer 7 protocols.
- Ability to generate up to 600,000 requests/second, which can effectively DDoS the target website.
- Supports multiple requests per IP (1-64).
- 5 attack methods are available (1 for L4 , 3 for L7).
- API Key to launch attacks.
- Supports 4 concurrent connections.
- 2,400 seconds booting time (maximum duration for DDoS'ed website downtime).
- DDoS attacks carried out by threat actors particularly target the following 2 layers of the OSI (Open Systems Interconnection) model:
- Layer 4 (Transport Layer) - where data transmission (packet transmission and packet assembly) takes place between two systems, using TCP and UDP protocols.
- Layer 7 (Application Layer) - where applications interact with network services. For example, web browsers make use of this layer to provide meaningful content to users on websites.
- Attacks via the platform can be carried out by buying API Keys.
- The table below mentions the types of DDoS attacks which can be performed on each layer
|Layer||Attacks Targeting the Layer|
- Attack Method (different for each OSI layer, as mentioned above)
- Target - The provision for carrying out the attack is as follows:
- Layer 4 - Provide the IP Address & the port (default is port 80 - HTTP)
- Layer 7 - Provide the domain name
- Boot Time - A predefined field containing the min and max time, ranging from 0 to 2,400s, for conducting the attack.
- Request Type - GET or POST (only for Layer 7 attacks)
- Concurrents - Number of concurrent sessions (from dedicated servers (zombies)) that will attack the targeted domain / IP at a given time. At a time, 4 concurrent connections are supported. More the concurrent sessions, more the power of the DDoS attack.
- To facilitate DDoS attacks, there are servers that are readily available to carry out different types of attacks. The specifics of the servers are:
- Layer 4 - 1 server with 3 DDoS attack slots that can be used concurrently.
- Layer 7 - 3 servers with 10 DDoS attack slots that can be used concurrently.
- The request rate peaked at 79,074 requests per second in this DDoS attack.
- The attack method followed here is HCaptcha, with no direct evidence that the HCaptcha mechanism was bypassed.
- Upon conducting HUMINT, it was discovered that the cybercriminals had mentioned dedicated servers to carry out attacks.
- The maximum number of requests that can be carried out are 600,000. This count was independently verified using the DSTAT tool.
- The website provides a free plan for users availing services without commission.
- The website also has a uniform pricing structure for its paid users, i.e, Regular and Premium.
- The price ranges from USD 10 to USD 850 monthly with testing specifications varying for each pricing bracket.
- These websites have been advertised on other DDoS-for-hire websites.
- The use of these websites was widespread during the infancy of the Russia-Ukraine war.
- The service was primarily used for conducting DDoS attacks against Russian websites.
- User reviews indicate that the service is gaining traction among the average internet user.
|Threat Actor Profiling|
|Active since||August 2022|
|Reputation||Low (Multiple complaints and concerns on the forum)|
|Rating||F3 (F: Reliability Unknown; 3: Possibly true)|