Massive Bot Attack Generates 400 Million Requests in 4 DaysJob Seekers Targeted, Data Scraped; Also: TrickBot Hits High-Profile Companies
Botnet attacks have affected multiple organizations recently, resulting in web scraping as well as theft of financial information. They include a massive bot attack used to scrape data from a job listing sites, and a TrickBot malware attack targeting 60 high-profile companies.
Scraping Data of Job Seekers
A botnet-based web scraping attack, intended to harvest user data from an unnamed global job listing site across six countries, has been mitigated, according to researchers at cybersecurity company Imperva. As part of the attack, the bad actors generated at least 400 million bot requests from nearly 400,000 unique IP addresses over four days, the researchers say.
"This large-scale attack comes at a time when the great resignation continues globally, with 44% of Americans and 24% of Brits looking to make a job change. It means that more people will be using job listing sites and uploading their most recent CV in pursuit of their next career opportunity," the researchers say.
Web scraping is the process of extracting large amounts of content and data from a website, usually using software to automate the process (see: 700 Million 'Scraped' LinkedIn User Records Offered for Sale).
According to the researchers, web scraping treads a fine line between sourcing business intelligence and violating data privacy.
One of the most "prominent automated attacks affecting organizations today" can result in lower conversion rates and skewed marketing analytics for companies, as well as reducing their SEO rankings, website latency and even increasing downtime, they say.
Imperva did not immediately respond to Information Security Media Group's request for additional details about the attack and mitigation measures.
Imperva says a bot-based attack during Black Friday week 2021 was another recent major incident. The attack, designed to affect a global retailer’s drop of a limited-edition collectors' item, consisted of 9 million bot requests to the retailer's application in just 15 minutes, the researchers say, adding that the attack was "2,500% more than the average web traffic on the retailer’s site."
"Stopping automated bot attacks reduces impact on an organization’s infrastructure from unwanted traffic. When websites or applications are overwhelmed by bot traffic, it can result in denial of service, revenue losses, and reputational damage," the researchers say.
Yet another bot-based cyber incident involved the use of TrickBot malware to attack 60 high-profile companies, including Amazon, PayPal and American Express, according to the research unit of cybersecurity company Check Point.
"TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand. Such modules allow the execution of all kinds of malicious activities and pose great danger to the customers of 60 high-profile financial (including cryptocurrency) and technology companies, mainly located in the United States," the Check Point researchers say.
The bad actors used a large volume of IP addresses in this attack to evade detection, as each IP address made 10 requests per hour on an average, according to the researchers.
TrickBot authors are experienced with malware development and have the skills to approach it from a very low level and pay attention to small details, the researchers say, adding that this ensures the malware code can be reused in the future.
"TrickBot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage," they say.
The Check Point researchers also analyzed three key attack modules: injectDll, tabDll and pwgrabc.
injectDll: Web-Injects Module
This module also features several anti-analysis techniques. For instance, it prevents researchers from sending automated requests to command-and-control servers to get fresh web-injects. The Check Point researchers say: "If there is no 'Referer' header in the request, the server will not answer with a valid web-inject."
"We can recognize a well-known web-inject format from Zeus. The payload, which is injected to the page is minified (making the code size smaller makes the code unreadable), obfuscated, and contains anti-deobfuscation techniques," they say.
The tabDLL module is used to steal the user credentials and spread malware via a network share. The module first enables storing of user credential information in the LSASS application and it then injects the "Locker" module into the "explorer.exe" application.
The infected application (explorer.exe) forces users to enter login credentials in the application and then locks their session. Once the credentials have been stored in the LSASS application memory, the module grabs the credentials using the Mimikatz penetration testing tool technique and reports these credentials to C2. The EternalRomance exploit, developed by the NSA and leaked by Shadow Brokers, is then used to spread the malware via the SMBv1 network share, the researchers report.
Further analysis showed that the obfuscation level went down "when a botnet operator used a random key for string encryption algorithm," the researchers say, adding: "We encountered such a case with a low obfuscation level when the string 'GetCurrentProcess' became easily readable. In this case, no key is used for decryption. However, these cases remain rare throughout the modules and samples."
The pwgrabc module is a credential stealer. It has so far targeted applications such as Chrome, ChromeBeta, Edge, EdgeBeta, Firefox, Internet Explorer, Outlook, Filezilla, WinSCP, VNC, RDP, Putty, TeamViewer, Precious, Git, OpenVPN, OpenSSH, KeePass, AnyConnect and RDCMan, the researchers say.
Bad actors use logos and names of trusted brands to embed malicious links, which can trick people who do not fully understand how domain names work, says Erich Kron, security awareness advocate at security firm KnowBe4.
"This is a very convincing way to steal credentials through a fake login page, have the victim open an infected document, or get them to a website that will attempt to inject malicious code into the browser," he tells ISMG.
Unfortunately, Kron says, there is "little that companies can do to completely stop a bad actor from using their names, and the associated trust or familiarity, to launch these attacks."
He recommends that companies educate people to spot fake websites and malicious links in email messages and update web browsers whenever possible to protect against vulnerabilities that bad actors could exploit.