@dfncert@infosec.exchangeSeit gestern werden weltweit E-Mails mit einem Erpressungsversuch und einer angedrohten Denial of Service-Attacke verschickt. Diese E-Mails stammen von einer Gruppe, die sich HACKER TEAM - Meridian Collective nennt und ging auch an zahlreiche DFN-Mitgliedseinrichtungen. Verwendet werden dabei unterschiedliche Absender- und IP-Adressen.
Der Text dieser E-Mails:
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
We are the Meridian Collective and we have chosen your website/network as target for our next DDoS attack.
1 - We checked your security system. The system works is very bad
2 - On Friday 16_06_2017_8:00p.m. GMT !!! We begin to attack your network servers and computers
3 - We will produce a powerful DDoS attack - up to 300 Gbps
4 - Your servers will be hacking the database is damaged
5 - All data will be encrypted on computers Crypto-Ransomware
4 - You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS: 1HgGf2BCRkBmJNy13oWPo267bq7Lp17Djr
5 - Do you have time to pay. If you do not pay before the attack 1 bitcoin the price will increase to 5 bitcoins
6 - After payment we will advice how to fix bugs in your system
Please send the bitcoin to the following Bitcoin address:
1HgGf2BCRkBmJNy13oWPo267bq7Lp17Djr
Once you have paid we will automatically get informed that it was your payment.
How do I get Bitcoins?
You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you to start with localbitcoins.com or do a google search.
What if I don’t pay? If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you
will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers and make
sure your website will remain offline until you pay. This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any
replies. Once you have paid we won’t start the attack and you will never hear from us again! Please note that Bitcoin is anonymous and no
one will find out that you have complied.
Es kann davon ausgegangen werden, dass - wie in der Vergangenheit - diesen Drohungen keinerlei tatsächliche Angriffe folgen werden. Den Forderungen sollte daher nicht nachgekommen werden!
Falls in Ihrer Einrichtung ähnliche Nachrichten eingingen, informieren Sie uns bitte per E-Mail an cert@dfn-cert.de, damit wir ein entsprechendes Lagebild erstellen und Sie direkt auf dem Laufenden halten können.
Update: Bislang wurden weltweit lediglich vier Bitcoin-Adressen beobachtet:
- 14fKPXrkBdjUJZ9HPTXL45u3SmzERxQvox
- 1C6nKRo72UYxhVz7ejwHNS4pBuSbfoe1Q7
- 1HgGf2BCRkBmJNy13oWPo267bq7Lp17Djr
- 1Kj69yhhWpJaWo9s3MZW6ZztcCjeeakdFW
2. Update: mittlerweile hat die "Tätergruppierung" den E-Mail-Text etwas umformuliert und nennt sich Xball collective bzw. Team Xball. Es kann davon ausgegangen werden, dass es sich um dieselben Personen handelt. Lediglich weitere Bitcoin-Adressen wurden diesbezüglich beobachtet:
- 1BFhKbC84rKrUFsbtDpWJvBY3H7SkvXnyv
- 1DbFdxqPcCU6rhqvdZVcsAhYX5iGqAjni9
- 1Fc3ZoKPm5V2BDFxhQBxQRXyGD54owwSJi
- 1KZsSR36jpHFx7DBEHr8gLMLPuZKQyKYkC
- 1MDt7e73kY1u6YqCHrb4Zor6yP6hPvNKDb
- 1PgjhU1Z1NzLUWyLxvZYpTWPaVKWWqT9eb
3. Update: Team Xball tritt jetzt auch unter dem Namen Collective of Amadeus mit identischen Bitcoin-Adressen auf. Angriffe nach abgelaufenen Ultimaten sind nicht bekannt. Uns liegt eine Meldung zu einer weiteren Bitcoin-Adresse vor (Team Xball):
- 13qRaMncErReXzVBkbs6WsMJaW1iZqDu15
4. Update: Jetzt nennen sich die Trittbrettfahrer collective of Mefistof und verwenden weiterhin identische Bitcoin-Adressen:
- 13qRaMncErReXzVBkbs6WsMJaW1iZqDu15
5. Update: Die Polizei Niedersachen hat ein identische Welle beobachtet, berichtet jedoch über den Namen collective of AWN-Rans. Ferner wurden wenige weitere Bitcoin-Adressen beobachtet:
- 1Cw3BpYdLymgqZQj1NNaDbX8jPVbj4QM2e
- 15sT9PaqautokcmSFbRCToLWeX7SAR2rww
- 1EwFmKmmyJEWEqiD7ijP7BfBkmWGP9RnCj
- 1GpZUS5wBr99fmEK9EH1aUizyYq41ZS1Wm
- 1J1vegv1cJLr6affiRRo6k2tovRbdtq1iD
- 16KrZEhHEEL6RSrXviAF6nnGMkuYYAAQQ5
- 1EQM4hdgyvJjzUqum8NEBTMZu6MeitV6mD
6. Update: Noch immer kopieren Trittbrettfahrer diese (leeren!) Drohungen und verschicken massenhaft entsprechende E-Mails. Aktuell nennen sie sich bspw. Voodoo Bear, Fancy Bear, Lazarus:
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
==========================================
We are the Voodoo Bear and we have chosen your company as target for our next DDoS attack.
Please perform a google search for "Voodoo Bear" to have a look at some of our previous work.
Your network will be subject to a DDoS attack starting at 2020 November 2nd (Monday).
THIS IS NOT A JOKE, and to prove it right now we will start a small attack on www.abc.def that will last for 30 minutes.
It will not be heavy attack, at this moment.
What does this mean?
This means that your website and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation amongst your users / customers.
How to stop this?
We are willing to refrain from attacking your servers for a small fee.
The current fee is $1050(USD) in bitcoins (BTC).
The fee will increase by 1000 USD for each day after 2020 November 2nd that has passed without payment.
Please send Bitcoin to the following Bitcoin address (cAsE-SeNsitIve):
1EiDK9PHtZKGD496t1eiu3yirDWMUdGgfi
You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you coinmama.com or buy.coingate.com for buying bitcoins.
Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment before the deadline (2020 November 2nd ) or the attack WILL start!
What if you don't pay?
If you decide not to pay, we will start the attack on the indicated date and uphold it until you do, there's no counter measure to this, you will only end up wasting more money trying to find a solution (Cloudflare, Sucuri, Imperva and similar services are useless, because we will hit your network directly).
We will completely destroy your reputation and make sure your services will remain offline until you pay.
We will also download your database and do as much damage as possible.
Do not reply to this email, don't try to reason or negotiate, we will not read any replies.
Once you have paid we won't start the attack and you will never hear from us again.
Please note that Bitcoin is anonymous and no one will find out that you have complied.
-- Voodoo Bear team
Nach wie vor sind keinerlei Angriffe nach abgelaufenen Ultimaten bekannt!
Wir weisen ferner an dieser Stelle noch einmal auf unseren DoS-Basisschutz hin, den Teilnehmer am Dienst DFNInternet ohne zusätzliches Entgelt in Anspruch nehmen können - eine Beschreibung dieses Dienstes findet sich in den DFN Mitteilungen.
