Department Of Labor Attack Points To Industry Weaknesses

As researchers dig deeper into a Department of Labor (DOL) attack that some say was the front end of a watering hole attack designed to infect sensitive targets within the Department of Energy, the industry is learning more about the advanced patterns of attack that black hats are using to strike out at very specific targets.

"This is basically the same pattern that a lot of advanced malware is taking today," says Srinivas Kumar, CTO of TaaSERA. By taking a multi-stage approach and going after server-side vulnerabilities at legitimate sites, the attackers can be assured that unsuspecting visitors to the site are more likely to trust links redirecting to malware-laden sites, he says.

"By using legitimate websites and attacking them first through PHP and SOA-side scripting, they basically create the attack surface for unsuspecting users who would come to a maze of different links and trust links that install some type of executable that does reconnaissance on the machine to scope all the data it can, and [sends] it to command and control," Kumar says.

In this case, researchers with AlienVault helped to uncover multiple pages on the DOL website redirecting to malicious payloads that were exploiting a zero-day vulnerability in IE8, one which is now identified by Microsoft as CVE-2013-1347 and for which Metasploit released a module.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works .]

"The payload itself is base64 encoded within a Web page. On the victim machine, the browser will automatically decode the payload and will be exploited while attempting to render the Web page," says Craig Williams, technical leader within the threat research group of Cisco Security, who calls it "one of the more technically interesting attacks so far this year."

According to Kumar, that encoding is one of the additional layers of evasion that are making it hard for organizations like DOL to detect breaches on their sites used to originate additional attacks.

"It's very difficult for application developers or website administrators to keep websites malware-free because content is changing by the minute on all these websites," he says. "Like with the DOL case, the payload was encoded so you cannot see what's happening."

According to John Prisco, CEO of Triumfant, the DOL attack offers more evidence of what he calls the security industry's "ecosystem of mediocrity."

"Essentially the tools that are available are kind of scrambling to evolve from antivirus," he says. "Antivirus has been trotted out there time and time and time again. But products that are based on prior knowledge and some level of signatures are going to be defeated all the time by the bad guys because you're basically giving them your playbook." Kumar agrees that if there was one big lesson to take from this attack on both the server side and endpoint stage of attacks, it is that organizations can't depend on signatures to detect these kinds of attacks, and must instead have detection capabilities geared primarily at seeking out anomalous behavior. "Malware nowadays is multistage," Kumar says. "So they don't deliver a whole lot of malware in one file because they're smart enough to know that I give away my secret sauce if any of these vendors can look at my complete code."

As such, says his colleague at TaaSera, David Nevin, organizations also need to find ways to tie in both network and endpoint behavioral detection to track behavior across stages.

"By correlating information across both of those threat vectors you'll be able to identify things sooner and then hopefully be able to catch it before it actually does any damage," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.