A DDoS attack is a malicious attempt to disrupt the normal functioning of a targeted server, service, and network with a flood of internet traffic from multiple compromised devices.
DDoS attacks pose significant threats to organizations, as they can lead to service outages and substantial economic losses.
Cybersecurity researchers at Cloudflare’s Cloudforce One recently identified that LameDuck’s Skynet Botnet conducted more than “35,000 DDoS attacks” targeting organizations.
In January 2023 one of the interesting developments that occurred was the emergence of a threat group known as “Anonymous Sudan” (aka “LameDuck”).
Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar
Two brothers from Sudan operate this sophisticated threat group. The group carried out cyber attacks against the infrastructure of organizations in the form of DDoS attacks, which caused various services useless to legit users.
LameDuck’s operations were notably diverse and targeted critical infrastructure across multiple continents. The critical infrastructures are like:-
- Airports
- Hospitals
- Telecommunications providers
- Financial institutions
Targeted threat actors have been observed using a dual-strategy approach incorporating political hacktivism with profit-driven cybercrime.
One of their core tools was “DDoS-for-hire services,” where they sold facilities for attack to more than 100 customers around the world.
Researchers noted that they also carried out ransom DDoS and called for Bitcoin payments (ranging between “$3,500” and “$3 million”) to stop their attacks.
The group gained significant fame by using social media platforms to strengthen their successful attacks against high-profile targets.
However, they do this through the alliances they have with other hacktivists ‘Killnet’ and ‘Turk Hack Team’.
They also engage in coordinated campaigns like “#OpIsrael” and “#OPAustralia” that show their considerable mastery of these entire ‘Technical cyber operations’ as well as ‘social engineering tactics’.
More than 35,000 DDoS attacks were confirmed that were successfully executed by LameDuck using their advanced DCAT.
It was misleadingly dubbed:-
- Godzilla Botnet
- Skynet Botnet
- InfraShutdown
Unlike traditional attackers who use botnet devices to launch attacks on compromised websites, the “LameDuck” used a three-tiered infrastructure to do so.
For maximum impact, their technical arsenal offers “Layer 7 attacks” via “HTTP GET” flooding combined with “TCP-based” direct-path attacks and “UDP” reflection vectors.
By targeting “high-cost endpoints,” implementing low RPS rates to evade detection, and directing simultaneous “blitz attacks” across multiple subdomains the group showed tactical sophistication.
They used both free and paid proxy services for anonymity to maintain stealth. Not only that, but they also strategically timed their attacks during “peak usage” periods to facilitate disruption.
Their methodology involved flooding victim organizations’ web infrastructure with massive traffic volumes.
The combination of “technical expertise,” “strategic planning,” and “psychological warfare” makes the “LameDuck” different from typical “hacktivist groups.”
Recommendations
Here below we have mentioned all the recommendations:-
- Enable always-on DDoS mitigation for all traffic layers.
- Use a WAF to block malicious HTTP traffic.
- Set rate limits to control incoming requests.
- Cache content on a CDN to ease server load.
- Establish response protocols and log analysis for attacks.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!