Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

Financial Institution Websites Targeted by Distributed Denial of Service Attacks

 
Threat Type:IntelliShield: Security Activity Bulletin
IntelliShield ID:27076
Version:4
First Published:2012 October 01 20:47 GMT
Last Published:2013 March 26 16:29 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
Related Resources:
View related IPS SignatureView related Event Response
 
 
Version Summary:Additional information is available regarding new attacks against financial institutions.
 

Description
 
Attackers have targeted financial institution websites with distributed denial of service (DDoS) attacks that are designed to render sites unavailable to legitimate customers. The attackers claim to be politically motivated and protesting proposed legislation in the United States related to intellectual property and copyright laws. However, because of the distributed nature of the attacks, there is no single source that can be attributed to the attacks. The financial institutions are considered critical infrastructure, and the attacks have the attention of the U.S. presidential administration and Congress and are currently under investigation by the U.S. Federal Bureau of Investigation (FBI). The Financial Services Information Sharing and Analysis Center (FS-ISAC) and FBI have issued warnings to the financial sector. The attacks were also included in the Cisco Cyber Risk Reports for September 17–23 and September 24–30, 2012, with additional analysis and hyperlinks to media reporting.

A DDoS attack aims to overwhelm a targeted site's capacity to process and respond to requests, with the desired result of rendering the website completely unavailable. Depending on the capacity of the targeted site or its capability to filter requests, a DDoS attack may use specially formatted requests that are designed to make a targeted site consume even more resources in responding to any given request, furthering the aims of the attack.

Several different types of traffic have been observed as part of the DDoS attacks. The attacks have sent large numbers of network packets to TCP port 53 (DNS) or 80 (HTTP) in an attempt to exhaust available allowed network connections. Other types of traffic have requested predetermined web pages from the targeted websites to overwhelm the targeted web servers. As a result of the attacks, several financial services websites, including those of Bank of America, JPMorgan Chase, MasterCard, PNC Bank, U.S. Bank, Visa, and Wells Fargo, were unavailable for periods of minutes or hours. Financial services websites have been targeted in new attacks, including previously targeted Bank of America and JPMorgan Chase and new targets PNC, SunTrust, and U.S. Bancorp.

On March 12, six U.S banking institutions experienced DDoS attacks perpetrated by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters during its third phase of attacks known as Operation Ababil Phase 3. The group claims the reason it attacked the U.S. banking institutions was due to a Youtube video deemed offensive to Muslims. These attacks are evolving and the bot used, known as Brobot, had a significant infection rate which could give the attackers more resources to conduct further attacks. The encrypted attacks have become more refined, and coupled with the increased infection rate of Brobot, could allow the attackers the ability to attack multiple institutions at once. As a result of the attacks, this phase could be considered to be more disruptive than the previous waves of attacks; however, larger banking institutions have been able to defend themselves or minimize the impact of Brobot.

Although DDoS attacks are used as an attempt to disrupt services and render websites unavailable to legitimate users, reports indicate that the Office of the Comptroller for the Currency issued a warning concerning these DDoS attacks, and the possibility that the attacks could be used to mask fraud occurring in the background.


DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services.

Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks.

Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
1493/0Distributed Denial of Service on Financial InstitutionsS6722012 Oct 03 
 
Alert History
 

Version 3, December 13, 2012, 10:49 AM: Additional information is available regarding new attacks against financial institutions.

Version 2 October 4, 2012, 5:45 PM: Cisco Security Research Operations has released an Applied Mitigation Bulletin to address the ongoing distributed denial of service attacks.

Version 1, October 1, 2012, 4:47 PM: Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldSecurity Activity Bulletin Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield