Operation PowerOFF has forced Webstresser, a cyber attack for hire site, offline. Webstresser is credited with being involved in over four million cyber attacks across the globe. Taking it offline is a major blow to a number of cybercrime gangs who will now need to find an alternative tool.
Law enforcement in several countries collaborated in the takedown. They arrested key personnel behind the site and took control of servers. Visitors to the site were presented with a screen saying that the site had been seized.
What did Webstresser do?
Webstresser is one of a number of solutions that offer what appears to be a legitimate service for website testing. They offer testing teams the ability to funnel large amounts of traffic at a site to see how it performs. Stress testing, as it is known, is a legitimate testing approach. However, this was simply a front to allow criminals to rent a service to attack businesses.
At the heart of the service is a botnet. A group of computers infected with malware and under the control of the hackers. On command, these machines connect to the Internet and start sending data to the target website. The levels of traffic grow to the point where the website is unable to function and is forced off the Internet. This has serious consequences for the business concerned. If that business is using shared facilities in a hosting or cloud site, other websites will also be affected by the attack.
Webstresser allowed cybercriminals to rent its botnet for as little as $14.99 to launch attacks. There was no requirement for the attackers to have any cyber knowledge. All they required was the details of the target site and the means to pay.
As part of this investigation, UK police raided a house in Bradford. The details they seized, including computers, hard disks and access to other accounts on the Internet, provided information about attacks on UK banks in 2017. Analysis of that information pointed to the Netherlands as the location of the Webstresser infrastructure.
All of this lead to the action of police from several countries across multiple continents that shut down the malware site.
What does the industry think?
Unsurprisingly, security companies have been quick to respond to the news.
Andrei Barysevich, Director of Advanced Collection and dark web expert at Recorded Future comments: “Portrayed as legitimate services, “stressors” are designed to assist security engineers in testing the resilience of corporate servers against extreme traffic loads, and often explicitly prohibit any illegal use. In reality, such policies are just a facade, designed to create the appearance of legitimacy.
“For instance, alongside with other similar services, Webstresser has been openly operating in the darknet since 2015 and was a commonly recommended solution for turn-key DDoS attacks. The takedown by the international law enforcement is a powerful statement to all cybercriminals and a step in the right direction, however, with more than 50 underground DDoS vendors, I am afraid the problem is not likely to be solved any time soon.”
Another comment came from Ross Rustic, senior director, intelligence services, Cybereason. Rustic said: “The recent take down of webstresser is another example of the transnational nature of cyber crime. Despite one of the larger crimes associated with the website and their operators being against banks in London, the raids to shut down this operations took place on two continents and involved six countries and at least seven agencies.
“The amount of coordination it took to take a single grey market DDoS provider offline demonstrates the uphill battle national level law enforcement faces when attempting to disrupt even relatively unsophisticated threat actors. Without greater coordination and agreement on malicious activity, law enforcement will always be fighting with one hand held behind their back.”
What does this mean?
It is interesting that the key criminal infrastructure was identified as being in the Netherlands. Earlier this month the Insikt Team, part of Recorded Future, called out IoTroop. This is another botnet that pretends to be a legitimate stress test site. The Dutch Team High Tech Crime (THTC) arrested a hacker known as Jelle S for using this botnet in attacks against banks and government institutions. However, they later accepted his claim that he was simply a user and not the operator of IoTroop.
With both Webstresser and IoTroop operating in the same space attention will now shift to IoTroop and other ‘stressor’ malware. Law enforcement will be trawling through records to see if they can find evidence of overlap or even coordination between these tools. It is also likely that IoTroop will step up its sales in order to fill the gap left by Webstresser.
DDoS attacks continue to grow both in number and size. Many are used as distraction attacks allowing hackers to infiltrate systems while the defenders are looking elsewhere. The takedown of Webstresser will, at best, provide just a temporary relief from this kind of attack. It is important that organisations take this temporary relief to strengthen their defences against DDoS attacks.