Friday, October 22, 2021

Canadian VoIP provider held for ransom by DDoS attack

A Canadian voice-over-IP provider called VoIP.ms is being held to ransom by what it called a “massive” and sustained DDoS attack, which could cause the company to lose business.

According to the head of a Quebec-based firm that uses the VoIP.ms service, the telephone provider has been down since September 17th. “It hasn’t hurt my business so far because we can work by e-mail,” said the executive, who asked not to be identified. “It’s just an annoyance right now.”

However, he suspects other firms — especially those that resell VoIP.ms service — “are in real trouble.”

An Ottawa man who works for a technology firm and uses VoIP.ms’s residential service  complained that “service comes and goes.”

According to the Bleeping Computer news service, a threat actor is asking one bitcoin, or approximately $45,000, to stop the DDoS attacks.

UPDATE The threat actor has reportedly raised the ransom to 100 bitcoin.

ITWorldCanada.com has so far been unable to talk to Montreal-based VoIP.ms, whose primary website is now protected by Cloudflare and remains in operation.

In a tweet VoIP.ms said the attack started on September 16th.

Its site bears the message, “Distributed Denial of Service (DDoS) attack continues to be targeted at our Websites and POP servers. Our team is deploying continuous efforts to stop this however the service is being intermittently affected … We apologize for all the inconveniences.”

In a tweet posted around 10:30 am Eastern on Monday (Sept. 20) the company said, “We want to assure you that all our energy and resources are being put into fighting this ransom DDoS attack.”

Later it said SMS and MMS messaging, Call Recordings and Conference Recording services were recovered and fully functional.

As of noon Tuesday the company tweeted that it is “deploying continuous efforts in implementing the proper measures on our network to recover services across voice servers and website as soon as possible. We are observing improvements in a considerable sector of our network as we continue our action plan.”

The affected Quebec customer executive said VoIP.ms has 23 servers across Canada and 42 servers in the U.S. for its phone customers. To restore phone service, customers have been told to point their servers outside their local area. However, for this firm that hasn’t helped. “In Montreal they have nine different servers. I’ve been to every one of them and none of them are functioning now. Yesterday I was able to find one. Now they’re not.”

According to a VoIP.ms news release issued earlier this year, the provider was founded in 2007 and has “80,000 happily satisfied customers” including cPanel, the Houston-based developer of the cPanel web hosting control panel software; Utah-based ICON Health & Fitness; Toys”R”Us and others.

When asked by email for comment, a spokesperson for cPanel’s parent company, WebPros, said the firm was “declining to participate.”

VoIP.ms says it provides a vast range of standard telephony features, as well as enhanced communication features for both business and residential communications. This includes things such as local and direct-dial numbers in more than 60 countries. It also offers free porting across U.S. and Canada for local and toll-free direct dialing to over 125 countries.

DDoS attacks leverage the power of huge numbers of infected internet-connected devices. Chained together to form a botnet, they fire requests at an IP address to overwhelm the web server and deny service. According to Cloudflare, a DDoS mitigation service, DDoS attacks can be aimed at an application layer, network devices like firewalls and load balancers or at DNS servers.

While holding an organization for ransom is one DDoS tactic, another is using the weapon as a diversion for infiltration of malware or ransomware.

As technology has become more accessible, the barrier to entry for threat actors who wish to engage in cyber-attacks has also lowered, said Dave Masson, Ottawa-based director of enterprise security at Darktrace. The attack group hitting VoIP.ms seem to have the cyber resilience to keep the attack going until they receive payment, he said. “These threats are why more organisations are turning to self-learning AI that can detect and respond at machine speed to the most subtle behaviours that may indicate complex threats, even while chaos is ensuing elsewhere.” 

In March mitigation service Akamai said DDoS attacks this year are getting “bolder and badder” than 2020, which was a record year itself. Last year Akamai said it mitigated some of the largest attacks ever seen (1.44 Tbps and 809 Mpps); saw more attacks on customers across more diverse industries than ever before; and observed the largest DDoS extortion campaign, aimed at a European online gambling site.

“Recently, we’ve witnessed several campaigns that targeted a range of IP addresses at two specific customers over an extended number of days,” the Akamai report said. “The attackers were relentlessly looking for weaknesses in defenses to exploit, as well as trying different attack vector combinations. In one attack, the threat actors targeted nearly a dozen IPs and rotated through multiple DDoS attack vectors trying to increase the likelihood of disrupting the back-end environments.”

According to a report issued in June by Nokia, after COVID lockdown measures were implemented in 2020 its researchers saw a 40-to-50 per cent increase in DDoS traffic. “The continued increases in intensity, frequency and sophistication of DDoS attacks have resulted in a 100 per cent increase in the “high watermark levels” of DDoS daily peaks,” the report said, “from 1.5 Tbps (January 2020) to over 3 Tbps (May 2021).”

The Cloud Security Alliance says to foil DDoS attacks, IT departments can do the following:

-increase bandwidth. Have enough bandwidth to handle traffic spikes that may be caused by cyber-attacks;

-consider switching workloads to hybrid or cloud-based services. The provider may offer unlimited bandwidth.

-use a content distribution network (CDN) to balance out website traffic so that your capped server won’t be overwhelmed;

-if your web host provider offers it, implement server-level DDoS protection;

-configure your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) to help protect against certain DNS and ping-based volumetric attacks;

-remind yourself that you’re never too small to be DDoS’ed.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News