Attacks/Breaches
12/2/2013
11:06 AM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Zero-Day Drive-By Attacks: Accelerating & Expanding

The zero-day attack business is no longer just about money, and patching is no longer the best defense.

Similar to a criminal drive-by, the watering-hole attack redirects unsuspecting victims; the difference is that the redirection (usually via obfuscated JavaScript) is placed on a carefully chosen website where the intended victim will likely browse in the course of their daily employment activities. Indiscriminately exploiting victims is pointless for nation state actors, rather it is a select group of targets that must be compromised in order for the attack to be deemed a success (which for them may entail a better-than-average holiday bonus).

Further, because the intended victims’ computers may be fully patched, nation state actors don’t need a full exploit pack. Instead they can rely on one or two zero-day exploits. (A “zero-day” is security industry jargon for exploit code that targets a previously unknown software vulnerability.) Since government resources are exponentially larger than criminals’, zero-day exploits are purchased from third party brokers or developed internally and used in watering-hole attacks to increase the chances of success.

Two such attacks occurred in May. The first campaign compromised the US Department of Labor’s Site Exposure Matrices (SEM) website -- a very specific watering-hole -- and injected JavaScript code which redirected visitors to dol.ns01.us. Naturally, this website was hosting a zero-day exploit for Internet Explorer (CVE-2013-1347). Following successful exploitation a Remote Access Trojan (RAT) was installed on the victim’s computer.

Subsequent attacks occurred in the same fashion days later when oil and energy company websites were modified to host redirection code. Ten oil/energy sites redirected victims to three different websites hosting exploits. In fact the same Department of Labor Internet Explorer zero day exploit was used in tandem with a Java (CVE-2012-1723) and Firefox/Thunderbird (CVE-2013-1690) exploit. While a zero-day exploit doesn’t remain zero day for long, it is a powerful tool with plenty of potency for quick and targeted campaigns.

Unfortunately the use of zero day-exploits in drive-by attacks appears to be accelerating. In the past two months different zero-day exploits for Internet Explorer were discovered as part of larger strategic web compromise attack campaigns. In the most recent attack a RAT was installed on victim computers and in October Microsoft released a security advisory citing a different Internet Explorer vulnerability that was actively being exploited in Asia.

It’s evident that governments, businesses, and individuals are all at risk for drive-by attacks. When dealing with the criminal set and their exploit packs the answer has always been, patch! Since exploit packs historically bundle large amounts of shell code corresponding to known vulnerabilities, the most efficient method for "p0wnage" prevention was a robust vulnerability identification and security patch management program. Zero-day exploits make this defensive strategy obsolete. So the question becomes what is the answer when comprehensive patching is no longer the solution?

A sensible answer is behavior scoring because there are plenty of common malicious indicators between recent attacks. One practical way to implement the scoring is via a web proxy, specifically to fetch and preview web content before serving it to the requestor. The presence of obfuscated JavaScript code, redirection tags, shell code, and dynamic DNS domains can all be scored, and any content above the tolerance threshold should be rejected before it impacts the end user. Nevertheless, nation state attackers’ behaviors and methodologies will evolve and new defense strategies will need to be implemented.

Finally, it’s not the end of the world if a watering-hole attack succeeds, so long as network (and ideally host) security monitoring programs detect the breach before the company or agency’s intellectual property crown jewels are removed.

Drive-by attacker’s planning and timing can’t be prevented, but we can remove the weapon’s effectiveness.

 

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 3:40:05 PM
Re: Patching not enough
That's a great observation and point about how, to quote Gartner,  information security is becoming a big data problem that will require a major shift in mind set and skills sets of security professionals. 

 

 

 
levigundert
50%
50%
levigundert,
User Rank: Apprentice
12/3/2013 | 1:56:44 PM
Re: Patching not enough
Absolutely. If the solution is going to be homegrown, the required resources - primarily human and time - are going to be substantial. It's more likely (especially for small and medium size businesses) that a behavioral prevention product will be purchased from a vendor that is already spending considerable resources on acquiring the right data and hiring top data science talent.

It's certainly possible to create an in-house solution, but it's likely to be cost-prohibitive for all but the largest organizations. Many of the Big Data tools are open source and straight forward to setup, but the barriers to entry are high for acquiring the data and talent necessary to compete with security vendor efforts.

That being said, security professionals should become familiar with Big Data tools and methodologies because it's the future of agile security programs.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 12:33:23 PM
Re: Patching not enough
"...big data insight, talented data scientists, and evolving predicative signal identification.." that seems like a pretty steep learning curve for today's typical  information security professional, not to mention a totally different orientation. What do you think the corporate security team would look like in order to successfully develop and manage a behavioral solution? 
levigundert
50%
50%
levigundert,
User Rank: Apprentice
12/3/2013 | 12:00:24 PM
Re: Patching not enough
Thanks for the question Marilyn. Quite a few security vendors are currently competing to provide superior behavior scoring solutions. I'm obviously partial to what we're doing at Cisco with our cloud based approach, but the point is that subscribing to static threat intelligence lists - malicious IP addresses, domains, etc. - and creating derivative access lists (ACLs) is only going to protect users up to a point. From a risk management perspective that may be enough, but I think most INFOSEC departments realize that the emergence of zero day drive-by campaigns means new solutions are required.

A successful behavioral security solution is predicated on: big data insight, talented data scientists, and evolving predicative signal identification. This space is still new and I don't have proprietary metrics from different security providers specifically around zero day drive-by attacks, but I do know that businesses are interested in proven behavioral solutions.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 9:38:04 AM
Patching not enough
Thanks for your detailed overview of the evolution of the zero-day attack, Levi. You make a great case for the need for new defenses that go beyond vulnerability identification and patch management. In terms of a "sensible" solution such as behavior scoring, where are you seeing that approach being adopted and how successful it is to date? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: good one 
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2001-1594
Published: 2015-08-04
GE Healthcare eNTEGRA P&R has a password of (1) entegra for the entegra user, (2) passme for the super user of the Polestar/Polestar-i Starlink 4 upgrade, (3) 0 for the entegra user of the Codonics printer FTP service, (4) eNTEGRA for the eNTEGRA P&R user account, (5) insite for the WinVNC Login, an...

CVE-2002-2445
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a default password of (1) root.genie for the root user, (2) "service." for the service user, (3) admin.genie for the admin user, (4) reboot for the reboot user, and (5) shutdown for the shutdwon user, which has unspecified impact and attack vectors.

CVE-2002-2446
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of insite.genieacq for the insite account that cannot be changed without disabling product functionality for remote InSite support, which has unspecified impact and attack vectors.

CVE-2003-1603
Published: 2015-08-04
GE Healthcare Discovery VH has a default password of (1) interfile for the ftpclient user of the Interfile server or (2) "2" for the LOCAL user of the FTP server for the Codonics printer, which has unspecified impact and attack vectors.

CVE-2004-2777
Published: 2015-08-04
GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin administrator account of the ASACA DVD library, (3) an empty value for the gemsservice account of the Ultrasound Database, and possibly (4) gemnet2002 for the gemnet2002...

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!