Intelligence Bulletin – MinionGhost Reemerges

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. Additionally, MinionGhost and other hacktivist groups announced their intent to target Israeli websites and interests as part of the annual global hacktivist campaign, #OpIsrael. Optiv’s Global Threat Intelligence Center (gTIC) assesses with high confidence that MinionGhost and affiliated groups intend to carry out high-level attacks against various websites and entities, however the capabilities of these groups are limited to simple distributed-denial-of-service (DDoS), cross-site scripting (XSS), and SQL injection (SQLi) attempts. Organizations are recommended to implement security practices and countermeasures focused on limiting and mitigating slow-HTTP attacks, which include limiting connections from single sources, setting appropriate session timeouts, using strong passwords and login credentials for web-applications, and monitoring for/blocking any activity from known proxy (i.e. Tor, commercial VPN) IP ranges.

MinionGhost is a politically and religiously-motivated hacktivist group with a pattern of participating in campaigns against targets globally with the intent of leaking sensitive information (i.e. email credentials, PII), webpage defacement, and disrupting the availability of websites and services through DDoS attacks. In addition to personal and vigilante motives, MinionGhost is also observed to seek attention and validation from media outlets catering to hacker and security news by posting results and findings from attacks directly to these outlets.  

Key Judgments

• gTIC assesses with high-confidence MinionGhost and affiliated actors will carry out DDoS, defacement, and data-leak attempts against a range of targets internationally, despite their threat against Asian entities
• gTIC assesses with high-confidence a majority of attempts and claims of attacks will be either unsuccessful, unsubstantiated, or have limited impact, especially against large corporations and national government organizations
• MinionGhost’s targeting of Asian entities overlaps with the ongoing #OpIsrael campaign (scheduled for 7 April, however attacks and effects ongoing as of March 2018), and attacks/attempts against organizations in Europe, Middle East and North America are deemed probable over the next 30 days

Technical Information

MinionGhost is an Indonesian hacktivist group responsible for participating in several hacktivist operations between 2016 and 2018, targeting multiple governments and top-level domains (TLDs) based off various political events, as well as participating in other ongoing hacktivist operations against the finance industry. MinionGhost is assessed to be a single threat actor with several key associates using multiple social media accounts and personas. MinionGhost is observed to communicate their activities over several outlets including Facebook, Twitter, GitHub, and Pastebin. In 2017, the original social media accounts for MinionGhost, @minionghost302 and @Scode404, were confirmed to be the same actor hiding behind another user handle, @AnonGhost7.

Tools and tactics attributed to the group include vulnerability scans, manual SQLi attacks, and DoS tools scripted in Python. Targets range from government websites to banking and financial entities as a part of larger global hacktivist operations.

MinionGhost is known to announce their intentions and campaigns over social media and recruit the support of other hacktivist groups with similar agendas. MinionGhost’s tools primarily consist of Python-scripted DoS tools. Tools used during #OpCatalunya in 2017 were identified to be the same as those identified to be used during #OpIcarus. Several of these are assessed to be derivatives of older DDoS tools including Slowloris, Low Orbit Ion Cannon (LOIC), and R-U-Dead-Yet.

Outlook

Optiv’s gTIC assesses with high confidence that a majority of MinionGhost’s attacks will have minimal impact against large organizations with adequate security and defense postures. The most vulnerable targets are local government and small business entities with little or no security procedures.  

MinionGhost and affiliates will continue high-level global hacktivist campaigns, primarily focused on targeting government and financial services and US and Israeli interests. Annual campaigns like #OpIsrael and #OpIcarus will continue to garner large vigilante followings and organizations are encouraged to follow proper security and defense posture as mentioned below.

Remediation Recommendations

To mitigate threats from MinionGhost and other hacktivist operations, gTIC advises organizations to ensure web-applications are up-to-date and secured with strong passwords, limit connections from single sources, set appropriate session timeouts and incoming data rates, and identifying and blocking known VPN and proxy IP addresses, writing database queries using prepared statements. These counteractions can prevent basic and high-level XSS, SQLi, and DDoS attempts.