Category: Adversary Intelligence
Industry: Banking & Finance
Motivation: Hacktivism
Region: Middle East
Source*:
B - Usually reliable
2 - Probably true
Executive Summary
On 21 May 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered the threat actor group Anonymous Sudan claiming responsibility for disrupting the services of the First Abu Dhabi Bank website and application. The Attack was conducted under the context of the UAE’s Geopolitical Stance and its support for the Rapid Support forces. Additionally, the discussions in the group suggest that such DDoS attacks would continue and escalate in the UAE.
Affected Entities
The threat actor group, Anonymous Sudan, shared a screenshot of the First Abu Dhabi Bank (FAB) application under system maintenance, claiming responsibility for taking down both the FAB website and application.
FAB Website targeted with DDoS
First Abu Dhabi Bank : https://bankfab.com/en-ae/personal
FAB Mobile Banking : Google Play Store URL
TTP (Tactics, Techniques, and Procedures)
The group has three main attack vectors as observed until now, out of the three, DDoS attacks are the predominant ones in comparison to the other two. The attack vectors are:
1. Defacement Attacks: Defacement (T1491.001: internal defacement, T1491.002: external defacement )
- The Hacktivist group modifies websites and adds images & Videos of their cause with Names and Account IDs which violates the integrity of the webpage and the domain.
2. DDoS Attacks (Network Denial of Service(T1498.001: Direct Network Flood, T1498.002: Reflection Amplification)):
- The Hacktivist group conducts DDoS attacks on organizations to disrupt or shut down the online operations of the targeted organizations, causing inconvenience or damage to their operations.
- The DDoS Attack method has been the most employed attack vector for the group.
- IOCs for the DDoS attacks have been attached in the below IOC Section
3. Compromise Accounts ( T1586.002: Email Accounts)
- In some observed instances, the group has been found to compromise the accounts of users of the targeted entities. This is likely accomplished through a method known as credential stuffing, which involves using compromised data that is openly available from various sources on Dark web forums & Telegram Channels.
- This technique involves the automated injection of previously breached username and password combinations into login pages, in order to gain unauthorized access to the targeted accounts of users of the organization.
Information on the Group
- The group “Anonymous Sudan” has been observed to conduct DDoS attacks and breach multiple public and government organizations since January 2023.
- They identify themselves as Sudanese hacktivists with political motivations.
- The group has been seen actively participating in attacks initiated by Killnet as it claims to be a part of Killnet.
- Multiple large and famous Russian hacktivists were observed promoting Anonymous Sudan in their private and public telegram channel.
- A representative from Anonymous that Anonymous Sudan is not Anonymous and that there is no connection between them.
It was mentioned by a source that Anonymous Sudan uses a cluster of 61 paid servers hosted in Germany to generate the traffic volume required for a DDoS attack.
Threat Actor Activity and Rating
IOCs (Indicators of Compromise)
Impact & Mitigation
Impact
- DDoS can leave websites more vulnerable as some security features may be offline due to the attack.
- Damaged infrastructure can cause the collapse of services provided by the website.
- Websites become vulnerable to further attacks.
- Discrepancies for users accessing affected websites and resources
Mitigation
- Deploy load balancers to distribute traffic.
- Enable rate-limiting mechanisms.
- Configure firewalls and routers to filter and block traffic.
- Utilize content delivery networks (CDNs) to distribute traffic.
- Implement bot-detection technologies and algorithms -to identify large-scale web requests from botnets employed by actors to conduct DDOS Attacks
References
