Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:22 AM

Expect Less Targeting From This Year's Targeted Attacks

Broader spearphishing campaigns and watering-hole attacks look to compromise and gather intelligence on broader classes of targets

In the final days of 2012, a group of attackers used exploits for a zero-day vulnerability in Internet Explorer to attempt to exploit the machines of visitors to the Council on Foreign Relations website.

The strategy, known as a watering hole attack, looks to compromise the systems of individuals with certain interests or who work in specific fields by launching drive-by attacks from websites that cater to those fields. While the CFR attack included an exploit for a previously unknown flaw in Internet Explorer, the incident is also notable because it continues a trend toward less focused targeted attacks, security researchers say.

"Waterhole attacks are interesting because they are targeted attacks that are less targeted," says Patrik Runald, senior security research manager with Internet security firm Websense. "Maybe the targeted attack over e-mail didn't work, or they don't know who in the organization -- or even which organization -- is of interest, so ... they throw a wider net and compromise a website that has the audience that they are interested in."

Spearphishing is a much more focused effort that works in many cases, but when there is a lack of information or the need to evade e-mail-focused defenses, waterhole attacks may be preferred. In many cases, attackers will combine the attacks, says Scott Gréaux, vice president of product management and services at security-education firm PhishMe.

"In a targeted attack against a particular organization, attackers will still use the traditional spearphishing model, but leverage the waterhole technique to evade some of the additional defenses that are in the security stack."

The broadening of targeted attacks is one of the trends that security researchers see for the coming year. Other trends include the use of victims' security concerns to convince them to click on a link in an e-mail, and that more than a third of attacks occur on Friday to hinder any response to the incident, according to an October report by Websense.

The changes are mainly driven by attackers need to foil digital defenses, says Robert Hansen, CEO of hardened-hosting provider Falling Rock Networks.

"Over the last five years, the anti-phishing filters have made it harder for phishers to spoof e-mails, so they are having to take different approaches," Hansen says. "It does not change the attack all that much, but it does change the tricks."

Watering hole attacks are the latest trick. While some researchers argue that the concepts behind watering hole attacks are not new, the modern version of the attack is relatively recent. In 2010, several attacks compromised specialized websites to host attack code, according Websense. In its Elderwood Project research paper on likely nation-state attacks, Symantec found that, starting in 2009, attackers increasingly used compromised Web sites to focus on populations of interest, rather than just individuals. In the latest incident, for example, the attackers likely netted some government workers and think-tank analysts by compromising the Council on Foreign Relations website.

[Series of sophisticated attacks could be driven by organized crime or a nation state, Symantec says. See Aurora, Other Zero-Day Attacks Linked In 'Elderwood' Study.]

In addition, spearphishing and waterhole campaigns will likely focus increasingly on smaller businesses, especially those that supply services to larger companies, says Paul Wood, cybersecurity intelligence manager with security firm Symantec.

"Small to [midsize] businesses are the weaker link in the supply chain," Wood says. "Those businesses do not have the same intrusion prevention and intrusion detection technologies as the large enterprises."

The attacks add a level of indirectness that can help attackers hide their intentions, especially if they initially aim at a smaller contractor or service provider, Falling Rock's Hansen says.

"If you directly try to attack any target, the chances that you get caught is way, way higher, but if you focus on a third party who is a contractor and has a forum where they hang out, it is less likely that anyone will attribute the attack to a targeted effort," he says.

Companies should harden their end-user systems against compromise by keeping them updated, using the latest -- and, ostensibly, the most secure -- version of an acceptable browser, and removing any plug-ins or other third-party software that could create more holes to be exploited by an attacker.

On the network side, companies should be looking at checking for malicious content before allowing a Web page to run code inside their networks, says Websense's Runald. Reputation systems, which have become popular in the past two years, are not agile enough to respond to a legitimate Web site that becomes compromised. Instead, checking content in real time is necessary, he says.

"It must be done at the point of click and not at the point of entry [into a reputation system]," Runald says, "because we have seen content change between going into the system and the time a user clicks on it."

While Websense does not have independent data on how many companies are dynamically checking Web pages, about one in five PhishMe customers use technology to prefetch Web pages before delivering them to the user, Gréaux says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/18/2013 | 2:35:02 PM
re: Expect Less Targeting From This Year's Targeted Attacks
Great findings! In my experience,
when you conduct an application security assessment, whether itGs a static
analysis scan, dynamic analysis scan, penetration test, or code review, you are
going to be presented with a set of vulnerabilities to fix. Often times, there
are more vulnerabilities to be fixed than time to fix them, so how do you
determine which you should address?

I believe the answer is a vulnerability
classification and a prioritization framework. Once you have these in place,
you will have good framework for classifying and responding to discovered
vulnerabilities. If you want to read more about software vulnerability management,
hereGs a great article I think you might find interesting: http://blog.securityinnovation....
Keep up the good work!
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...