Attack and Defense
On the night of May 28, 2015, according to information obtained by NSFOCUS, Anonymous was intending to launch an operation against China (OpChina) on May 30, which was suspected to be a reaction to the recent international situation. This news, once disclosed, drew wide attention from all people concerned. Based on its knowledge of attacks launched by this hacker organization against China and years of experience in coping with such attacks, NSFOCUS Threat Response Center (TRC) made corresponding preparations, well poised for a fight against the imminent attack. This article provides an in-depth analysis of this attack and presents a targeted solution.
Attack: Anonymous and #OpChina
Anonymous is a loose hacker organization as anyone can claim to act on behalf of or as a member of this organization. This organization has its own website and its members meet regularly by means of the Internet Relay Chat (IRC). Most attacks launched by Anonymous are distributed denial-of-service (DDoS) attacks targeting government websites, enterprise websites with good reputation, and religious websites. From its inception, Anonymous has smacked strongly of political favoritism.
Generally, Anonymous launches an attack in three phases: recruiting and communications phase, reconnaissance and application attack phase, DDoS attack phase. Due to the loose organization, Anonymous often uses a hashtag to identify the planned operation in the recruiting and communications phase. #OpChina appeared on Twitter as early as 2011. Subsequently, an account named Operation China was set up on Facebook, aiming to organize attacks against China. Similar hashtags include #OpSony in 2011 and #OpSyria in 2013.
In fact, Anonymous has never ceased its attacks against China. In April 2015, in the wake of the incident happening in Hong Kong, a number of Chinese governments’ and organs’ websites, including Hunan Police Academy, were attacked. In October 2014, a cyber attack was launched as a support for the incident in Hong Kong, affecting government organs’ websites, including Hong Kong Brands and Products Expo (HKBPE). In May 2012, Anonymous launched a round of attacks against certain government websites of China, claiming that they hacked more than 400 websites, disrupted signals from website servers, and stole customer data from certain websites. The recent attack was another attack against China launched on May 29 with the #OpChina hashtag.
DDoS and Web Page Defacement
By May 30, 24:00, from the obtained information, known attack sources had been identified to be Japan, the Philippines, and Vietnam and the attack had taken the form of DDoS, plus web page defacement. For these two types of attacks, NSFOCUS has accumulated a lot of experience.
Most large-scale DDoS attacks happen in the period of 18:00–23:00, which sees the heaviest network traffic, enabling attackers to achieve the optimal attack effect. Considering the distribution of IT companies in China, first-tier cities, such as Beijing, Shanghai, and Guangzhou, are often the targets of attacks. This can be seen in 2014 NSFOCUS DDoS Threat Report. However, up to now, we have not detected any large-scale DDoS attacks in these cities.
Web Page Defacement
According to historical data, common web page defacement attacks are implemented by controlling a web server by exploiting certain vulnerabilities, cross-site scripting (XSS), DNS hijacking and poisoning, and ARP spoofing. During such an attack, visitors are tricked into accessing other web pages than the desired ones.
NSFOCUS TRC’s information sources from real-time threat monitoring, NSFOCUS’s security team, and service teams of various products. Through continuous communication and collaboration, we have found that our 200+ VIP customers have generally fared well and their 2306 websites have been free from the attack in question. We will work closely with our customers to follow up the event.
Locations covered by the preceding data are distributed as follows:
Protection: Management Authorities
To cope with the attack to be launched by Anonymous, CNCERT/CC and other security management authorities made an immediate response. NICNIS issued a notification to all the related organizations on May 29, requiring technical support service providers to monitor the networks around the clock and these organizations to tighten security monitoring on critical information systems and websites.
With regards to this attack, the management authority issued a prompt notification and the media immediately released news reports. In the mean time, users started using their own security systems or security devices purchased from security vendors to monitor and protect their business environments. There were also users who came to us for relevant information and continuous technical support. It is advisable for users to set up a web page defacement monitoring and protection mechanism as soon as possible.
Web page defacement occurring in this attack can be monitored by various products of NSFOCUS in real time. Take the NSFOCUS Web Security Monitoring System (WSM) as an example. When a large number of websites are involved in security assessment, WSM can serve as a unified website monitoring platform to implement all-round efficient monitoring 24/7 by scanning vulnerabilities, web page trojans, and sensitive content, detecting web page defacement and domain name hijacking, and ensuring availability. This can optimize security risk management for websites.
WSM determines whether web page defacement occurs not only based on watermarking, a commonly used technique, but also by analyzing the target web pages and extracting and recording signatures of this page. The page signatures are saved to the database. By comparing these signatures with the current page, WSM can accurately determine whether the page changes are normal or the page is tampered with.
In large enterprises or organizations, the protection against attacks launched by Anonymous may not be implemented as quickly as expected considering the following factors:
- Availability of the business system
- Formulation of an overall implementation solution
- How to reduce the negative impact of enhancements on the business environment as much as possible
In this context, the enterprise, vendor of the vulnerable system, and security vendor should work together in a coordinated manner to promptly form a safe and effective action plan, protecting the business system from being attacked before the enhancement.
In addition, certain small websites may be incapable of promptly responding to attacks. They know what vulnerabilities exist in their websites and what threats their websites are exposed to, but can do nothing due to the limited resources and technical support available.
Protection: Security Vendors
By far, the data in hand shows that large- and medium-sized customers in first-tier cities were hardly affected by this attack and occasional reports on the attack came from second- and third-tier cities.
Check on the Cloud
In response to this attack, NSFOCUS’s security team advised users to provide their website domain names so that NSFOCUS’s security experts could, upon their authorization, carry out remote website monitoring around the clock. Once a customer’s website was found to contain security risks, NSFOCUS’s security team would lose no time to notify the customer and provide a professional security solution. In addition, NSFOCUS produces general assessment reports on a regular basis, enabling customers to grasp the security status and trend of their websites. If your business environment is susceptible to attacks, please use NSFOCUS Client Portal for security monitoring.
Protection Against the Anonymous Operation
After obtaining facts about the Anonymous operation, what to do next is obvious. Based on the preceding information, users need to take prompt actions against this attack, including vulnerability fixing, DDoS protection, and application protection. We also provide a suite of solutions for customers to build a comprehensive protection system.
In this operation, we also found other attacks launched by exploiting system vulnerabilities. Our experience tells us that vulnerabilities recently discovered are more liable to be exploited. At the same time, Anonymous members are trying to collect and share vulnerability exploitation methods through various channels. Users should pay prompt attention to and fix vulnerabilities reported recently.
In terms of the number of bulletins released in the past week, IBM topped the list of vendors/projects with 16 bulletins, followed by Wireshark (9), Linux (8), HP (6), and Aruba Networks (6). According to NSFOCUS Network Security Threat Weekly, attention should be paid to the following critical vulnerabilities recently discovered:
|CVE ID||CVSS Score||Vendor|
|2015/05/25||PHP PHAR ‘phar_tar_process_metadata()’ Function Heap Memory Corruption Vulnerability
Description: An attacker can exploit this issue to execute arbitrary code within the context of the affected application.
CVE ID: 2015-3307
|2015/05/26||Vulnerability in a Website of Wanda’s E-Commerce Sector Affects Personal Data of 46 Million Users
Description: A vulnerability in a website of Wanda’s e-commerce sector affects personal data of 46 million users.
|2015/05/26||SQL Injection Vulnerability in the Website of Nanyang Municipal Public Security Bureau, Traffic Police Detachment Allows Information Disclosure
Description: An SQL injection vulnerability in the website of Nanyang Municipal Public Security Bureau, Traffic Police Detachment allows information disclosure.
|2015/05/26||Injection in the Yimutian Online Shopping Website May Lead to Information Disclosure
Description: An injection vulnerability in the Yimutian online shopping website may lead to information disclosure, affecting more than 5 million users and more than 6 million businesses.
Anti-DDoS products or traffic cleaning services, after being deployed, can effectively protect websites from possible DDoS attacks. Take the NSFOCUS Anti-DDoS System (ADS) as an example. After being deployed, it can cope with common DDoS attacks at the network layer, transport layer, and application layer, such as SYN flood, UDP flood, UDP DNS query flood, (M)Stream flood, ICMP flood, HTTP GET flood, and connection exhaustion attacks. Its other functions include abnormal traffic detection, attack protection, device management, report generation, and value-added operations. In addition, it can be deployed in in-path, in-path cluster, out-of-path, and out-of-path cluster mode to meet different business needs. In out-of-path mode, ADS supports various routing protocols for traffic diversion and reinjection, suitable for use even in complex network environments.
Besides ADS, the deployment of a web application firewall (WAF) can better protection website applications. For a web page defacement event, NSFOCUS WAF provides an online protection solution that features in-process protection and post-event remediation. During the event, WAF filters out in real time web page defacement attack traffic (SQL injection, XSS, and so on) mixed in HTTP requests. After the event, WAF automatically monitors all web pages of a website under monitoring for their integrity. After detecting that a web page is tampered with, WAF immediately alerts the administrator by SMS and at the same time displays the normal web page before defacement to ensure that users can access the desired content. Furthermore, HWAF can be deployed for real-time website protection. Once detecting web page defacement, it will restore the previous page within seconds.
NSFOCUS product users are advised to update the rule database as soon as possible. NSFOCUS has provided rule update packages in the software upgrade bulletin. The rule database can be updated online through the web-based manager. If you cannot install the rule update package for the time being, you can find the related product on the software upgrade page, and download and install it, thus updating the rule database offline. Please visit:
- http://www.nsfocus.com.cn/1_solution/1_2_1.html for information about security products.
- http://update.nsfocus.com/ for product upgrade information.
Like other cyber attacks, this Anonymous operation is also a battle between people. NSFOCUS Security Cloud provides customers with professional, rapid, and efficient security assurance all the time and delivers a managed security operation solution for Internet websites. Based on website access monitoring, this solution enables customers to get all-round website security operation services before, during, and after a security event.
We Are Watching
For advanced attacks such as the OpChina attack, the key lies in the prompt obtaining of related information so as to trigger the emergency response mechanism as soon as possible. This is a very important approach for addressing both traditional security threats and advanced persistent threats (APTs). The obtaining of and responding to threat-related intelligence, to some extent, reflect a security vendor’s protection capacity. The threat intelligence service system consists of at least threat monitoring and responding, data analysis and sorting, business intelligence and delivery, risk assessment and consultancy, and security hosting and application, involving the research, products, services, operations, and marketing. NSFOCUS, through an all-round emergency response system covering the research, cloud, products, and services, promptly provides threat intelligence and follow-up services regarding Anonymous attacks for enterprises and organizations, ensuring their business continuity.
 NSFOCUS Web Security Monitoring System,http://www.nsfocus.com.cn/products/details_36_9.html
 NSFOCUS Network Security Threat Weekly, No. 201522