This week’s cyber-attack on the New Zealand Exchange (NZX) resulted in severe outages and trading being halted for hours. Brokers and businesses have been left in the dark as NZX and its service provider Spark have yet to clarify any motivation behind the attack and whether demands have been made by the still unconfirmed adversaries.
NZX declared on Tuesday that trading needed to be halted because of an attack known as a volumetric Distributed Denial of Service (DDoS). This is where a server is overloaded to prevent access by legitimate users. This type of attack is well-known and quite basic, and doesn’t involve any data exfiltration. But fears that it could now be used for extortion – like a new form of Ransomware – mean that this type of attack could be extremely damaging to organisations beyond just an inconvenience.
Richard Groves, director of security research at A10 Networks, a company that focuses primarily on DDoS detection, mitigation and research, says the threat is more potent than organizations realise.
“Oftentimes there is an old list of exploits that an attacker keeps abreast of in terms of new remote code executions (RCEs) that are capable for different devices, different code that’s out there… So they pepper the internet with exploits hoping for something that will download their exploit as a part of their bot net.”
Whether Fancy Bear were the perpetrators or not, the attack shows that they employed a volumetric DDoS to break links to the server provider Spark. The NZX officially stated they were experiencing network connectivity issues after the first attack. In reality, the attack has crashed the NZX for four days in a row on writing.
Although NZX is a private company, New Zealand Finance Minister Grant Robertson expressed the government’s concern over the matter, stating their committed support in helping NZX recover from the attack.
However, protecting against a severe volumetric DDoS attack is not easy. The attack on NZX adds credence to the idea that cybercriminals have more than one type of attack method.
“So, for one example, they [cybercriminals] have amplification attacks, where you can send a small packet and get a whole bunch of data flying back that’s reflected to the victim. Usually, that’s how they generate so much data,” said Groves.
“In some cases, you get attacked first and these people know where your infrastructure is at this point,” he continued. “Even if your application has moved, say to the cloud, there had to be some conversation with the place you have moved your application to. And that’s already exposed.”
Also, DDoS attacks can offer a smokescreen for cybercriminals to target more high value data, such as bank accounts. Beyond the initial attack, NZX and the New Zealand government should guard against the possibility of periphery data being stolen.
“They have not just utilised a volumetric attack to break the provider’s links,” said Groves, “but also things that are more complex.
“But there are some best practices that can be done to help. There are ways to utilise your own network infrastructure – routers, switches and devices – that are purpose built for DDoS attack mitigation.
“I feel like an old man when I say this, but the tried and trusted methods at least give you some understanding of this type of attack. Routers are capable of exporting some amount of data with NetFlow, a protocol that gives you some understanding of flows within your network.” Groves made the point that by tracking the data flows within a network, it is easier to identify SYNs (part of a 3-way TCP/IP handshake) coming into a network without any data attached to them. This abnormal behaviour is usually a strong indication of a DDoS attack.
One mitigation option is to guide the attack into a ‘black hole’. However, by doing so, an attack is often compounded as victim servers are taken down. While there are also some subscription services that make sure applications are always running safely by measuring availability and latency.
Though unconfirmed, it has been reported that NZX will be moving its domain to Akamai Technologies to obtain this protection, something that its current service provider Spark cannot offer on their own. This move has caused some to suggest that NZX is engaging in a modern arms race with an organised cyber-criminal group.
As Groves suggests, the international cyber security community seeks to collaborate against cybercriminal attacks and protect important systems and organisations. Indeed, a global cooperative effort between governments and law enforcement agencies is arguably the best deterrent for future cybercriminal activities.
Trading on the NZX Main Board, NZX Debt Market and Fonterra Shareholders’ Market continue to offer intermitted access. By 1pm Thursday 27th August, the main NZX 50 index fell 0.24%. If the attack continues to impede NZX, however, confidence in the exchange could wane and this could have serious knock-on effects. This is a cyberspace worth watching.