Dealing with DDoS threats by KillNet, Anonymous Sudan and REvil

It has recently been reported that KillNet, Anonymous Sudan and REvil have made some credible threats of large-scale attacks against US & European banking systems in response to the Wests support of Ukraine in the on-going conflict between Ukraine and Russia.


Prior attacks from KillNet and Anonymous Sudan have been volumetric Denial-of-Service attacks and simple brute-force attacks against applications on common ports (e.g., SSH, HTTP & HTTPS web applications), while REvil is known to conduct ransomware attacks where the most common initial attack vector is phishing, though REvil were also the threat actor behind the Kaseya supply chain compromise in 2021 and are understood to have the most advanced capabilities of the three groups, at least prior to arrests in 2022.

There are limited technical specifics associated with the Tactics, Techniques and Procedures (TTPs) known for these groups and so the advice below is largely based on the over-arching TTP categories and our experience of previous engagements unless otherwise noted.

These groups have threatened action before however the F5 SIRT has seen little real-world impact of their threats and suggests the credibility of large-scale impact as a result of the latest threat is low.
 
In general, the guidance issued in 2022 by CISA, jointly with Australia, Canada, New Zealand and the United Kingdom, in AA22-110A should still be considered valid and relevant to this threat.

The guidance below can also be found in MyF5 article K000135063.
 

F5 SIRT Guidance and Recommendations

Firstly, if you do come under attack, you can call in to Support and reach the F5 Security Incident Response Team for emergency assistance, 24/7, as a part of your support contract and we will work with you and whatever F5 products or services you have access to in order to mitigate the immediate attack.
 
Further, we recommend the following steps. These steps are not specific to F5 products and many apply broadly to all infrastructure and systems, however we are calling out F5 products where those products can help:
  1. Protect your administrative interfaces from brute force attacks:
    1. Ensure that management ports are not accessible from the Internet (use VPNs, jump hosts, or similar, to isolate management from the Internet and other untrusted networks).
    2. Ensure strong passwords are in use for all accounts.
    3. Use MFA wherever possible.

  2. Ensure any public authentication systems are protected from brute force attacks, e.g., for HTTP/HTTPS services:
    1. Deploy BIG-IP Advanced WAF and configure Brute Force protection (e.g., https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-asm-implementations/mitigating-brute-force-attacks.html) and ensure IP Shunning is configured or,
    2. Deploy F5 Distributed Cloud Account Protection (https://www.f5.com/cloud/products/account-protection)

  3. Ensure robust DOS protections are in place for volumetric attacks:
    1. Deploy BIG-IP AFM Layer 4 DOS protections (e.g., https://my.f5.com/manage/s/article/K49869231) or,
    2. Deploy F5 Distributed Cloud DDoS Mitigation (https://www.f5.com/cloud/products/l3-and-l7-ddos-attack-mitigation) and/or,
    3. BIG-IP ASM Layer 7 DOS protections, ensuring Source IP based and/or GeoLocation based blocking is in use (https://my.f5.com/manage/s/article/K13410341)
    4. For on-prem systems the F5 SIRT also strongly recommends the use of IP Intelligence (an additional cost license option)

  4. Enforce GeoLocation blocking where possible, as previous attacks by Anonymous Sudan have shown traffic predominantly originating from specific regions, e.g.:
    1. Using BIG-IP AFM network firewall rules based on regions (e.g., https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations.html)
    2. Using BIG-IP Advanced WAF (e.g., https://my.f5.com/manage/s/article/K79414542) or, as a last resort and least-performant option,
    3. Using BIG-IP LTM and iRules (e.g., https://my.f5.com/manage/s/article/K43383890)

  5. Consider blocking any unnecessary HTTP methods (e.g., HEAD, PUT) as previous attacks by KillNet have utilised floods of specific methods. Allowed methods will need to be determined per application, but can be blocked using:
    1. BIG-IP Advanced WAF’s Allowed Methods list (by default, HEAD, GET and POST are allowed and all others are handled based on the configured Learning and Blocking Settings) or,
    2. BIG-IP LTM iRules with a rule like this: https://my.f5.com/manage/s/article/K85840901

  6. To reduce the risk of malware/ransomware attacks:
    1. Ensure users are educated on Phishing attacks; how to spot them, what to do if one is received.
    2. Have proper internal processes in place to handle reports of suspicious messages.

  7. Ensure there is a process in place to remediate known vulnerabilities:
    1. Ensure BIG-IP, NGINX etc instances are running up-to-date versions.
    2. Prioritize the patching of known exploited vulnerabilities on all systems, regardless of vendor.

If any further intelligence becomes available which informs more specific guidance, we will add that here and in K000135063.

Updated Jun 16, 2023
Version 2.0