Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/10/2013
01:22 AM
50%
50%

Expect Less Targeting From This Year's Targeted Attacks

Broader spearphishing campaigns and watering-hole attacks look to compromise and gather intelligence on broader classes of targets

In the final days of 2012, a group of attackers used exploits for a zero-day vulnerability in Internet Explorer to attempt to exploit the machines of visitors to the Council on Foreign Relations website.

The strategy, known as a watering hole attack, looks to compromise the systems of individuals with certain interests or who work in specific fields by launching drive-by attacks from websites that cater to those fields. While the CFR attack included an exploit for a previously unknown flaw in Internet Explorer, the incident is also notable because it continues a trend toward less focused targeted attacks, security researchers say.

"Waterhole attacks are interesting because they are targeted attacks that are less targeted," says Patrik Runald, senior security research manager with Internet security firm Websense. "Maybe the targeted attack over e-mail didn't work, or they don't know who in the organization -- or even which organization -- is of interest, so ... they throw a wider net and compromise a website that has the audience that they are interested in."

Spearphishing is a much more focused effort that works in many cases, but when there is a lack of information or the need to evade e-mail-focused defenses, waterhole attacks may be preferred. In many cases, attackers will combine the attacks, says Scott Gréaux, vice president of product management and services at security-education firm PhishMe.

"In a targeted attack against a particular organization, attackers will still use the traditional spearphishing model, but leverage the waterhole technique to evade some of the additional defenses that are in the security stack."

The broadening of targeted attacks is one of the trends that security researchers see for the coming year. Other trends include the use of victims' security concerns to convince them to click on a link in an e-mail, and that more than a third of attacks occur on Friday to hinder any response to the incident, according to an October report by Websense.

The changes are mainly driven by attackers need to foil digital defenses, says Robert Hansen, CEO of hardened-hosting provider Falling Rock Networks.

"Over the last five years, the anti-phishing filters have made it harder for phishers to spoof e-mails, so they are having to take different approaches," Hansen says. "It does not change the attack all that much, but it does change the tricks."

Watering hole attacks are the latest trick. While some researchers argue that the concepts behind watering hole attacks are not new, the modern version of the attack is relatively recent. In 2010, several attacks compromised specialized websites to host attack code, according Websense. In its Elderwood Project research paper on likely nation-state attacks, Symantec found that, starting in 2009, attackers increasingly used compromised Web sites to focus on populations of interest, rather than just individuals. In the latest incident, for example, the attackers likely netted some government workers and think-tank analysts by compromising the Council on Foreign Relations website.

[Series of sophisticated attacks could be driven by organized crime or a nation state, Symantec says. See Aurora, Other Zero-Day Attacks Linked In 'Elderwood' Study.]

In addition, spearphishing and waterhole campaigns will likely focus increasingly on smaller businesses, especially those that supply services to larger companies, says Paul Wood, cybersecurity intelligence manager with security firm Symantec.

"Small to [midsize] businesses are the weaker link in the supply chain," Wood says. "Those businesses do not have the same intrusion prevention and intrusion detection technologies as the large enterprises."

The attacks add a level of indirectness that can help attackers hide their intentions, especially if they initially aim at a smaller contractor or service provider, Falling Rock's Hansen says.

"If you directly try to attack any target, the chances that you get caught is way, way higher, but if you focus on a third party who is a contractor and has a forum where they hang out, it is less likely that anyone will attribute the attack to a targeted effort," he says.

Companies should harden their end-user systems against compromise by keeping them updated, using the latest -- and, ostensibly, the most secure -- version of an acceptable browser, and removing any plug-ins or other third-party software that could create more holes to be exploited by an attacker.

On the network side, companies should be looking at checking for malicious content before allowing a Web page to run code inside their networks, says Websense's Runald. Reputation systems, which have become popular in the past two years, are not agile enough to respond to a legitimate Web site that becomes compromised. Instead, checking content in real time is necessary, he says.

"It must be done at the point of click and not at the point of entry [into a reputation system]," Runald says, "because we have seen content change between going into the system and the time a user clicks on it."

While Websense does not have independent data on how many companies are dynamically checking Web pages, about one in five PhishMe customers use technology to prefetch Web pages before delivering them to the user, Gréaux says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
1/18/2013 | 2:35:02 PM
re: Expect Less Targeting From This Year's Targeted Attacks
Great findings! In my experience,
when you conduct an application security assessment, whether itGs a static
analysis scan, dynamic analysis scan, penetration test, or code review, you are
going to be presented with a set of vulnerabilities to fix. Often times, there
are more vulnerabilities to be fixed than time to fix them, so how do you
determine which you should address?

I believe the answer is a vulnerability
classification and a prioritization framework. Once you have these in place,
you will have good framework for classifying and responding to discovered
vulnerabilities. If you want to read more about software vulnerability management,
hereGs a great article I think you might find interesting: http://blog.securityinnovation....
Keep up the good work!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.