Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:22 AM

Expect Less Targeting From This Year's Targeted Attacks

Broader spearphishing campaigns and watering-hole attacks look to compromise and gather intelligence on broader classes of targets

In the final days of 2012, a group of attackers used exploits for a zero-day vulnerability in Internet Explorer to attempt to exploit the machines of visitors to the Council on Foreign Relations website.

The strategy, known as a watering hole attack, looks to compromise the systems of individuals with certain interests or who work in specific fields by launching drive-by attacks from websites that cater to those fields. While the CFR attack included an exploit for a previously unknown flaw in Internet Explorer, the incident is also notable because it continues a trend toward less focused targeted attacks, security researchers say.

"Waterhole attacks are interesting because they are targeted attacks that are less targeted," says Patrik Runald, senior security research manager with Internet security firm Websense. "Maybe the targeted attack over e-mail didn't work, or they don't know who in the organization -- or even which organization -- is of interest, so ... they throw a wider net and compromise a website that has the audience that they are interested in."

Spearphishing is a much more focused effort that works in many cases, but when there is a lack of information or the need to evade e-mail-focused defenses, waterhole attacks may be preferred. In many cases, attackers will combine the attacks, says Scott Gréaux, vice president of product management and services at security-education firm PhishMe.

"In a targeted attack against a particular organization, attackers will still use the traditional spearphishing model, but leverage the waterhole technique to evade some of the additional defenses that are in the security stack."

The broadening of targeted attacks is one of the trends that security researchers see for the coming year. Other trends include the use of victims' security concerns to convince them to click on a link in an e-mail, and that more than a third of attacks occur on Friday to hinder any response to the incident, according to an October report by Websense.

The changes are mainly driven by attackers need to foil digital defenses, says Robert Hansen, CEO of hardened-hosting provider Falling Rock Networks.

"Over the last five years, the anti-phishing filters have made it harder for phishers to spoof e-mails, so they are having to take different approaches," Hansen says. "It does not change the attack all that much, but it does change the tricks."

Watering hole attacks are the latest trick. While some researchers argue that the concepts behind watering hole attacks are not new, the modern version of the attack is relatively recent. In 2010, several attacks compromised specialized websites to host attack code, according Websense. In its Elderwood Project research paper on likely nation-state attacks, Symantec found that, starting in 2009, attackers increasingly used compromised Web sites to focus on populations of interest, rather than just individuals. In the latest incident, for example, the attackers likely netted some government workers and think-tank analysts by compromising the Council on Foreign Relations website.

[Series of sophisticated attacks could be driven by organized crime or a nation state, Symantec says. See Aurora, Other Zero-Day Attacks Linked In 'Elderwood' Study.]

In addition, spearphishing and waterhole campaigns will likely focus increasingly on smaller businesses, especially those that supply services to larger companies, says Paul Wood, cybersecurity intelligence manager with security firm Symantec.

"Small to [midsize] businesses are the weaker link in the supply chain," Wood says. "Those businesses do not have the same intrusion prevention and intrusion detection technologies as the large enterprises."

The attacks add a level of indirectness that can help attackers hide their intentions, especially if they initially aim at a smaller contractor or service provider, Falling Rock's Hansen says.

"If you directly try to attack any target, the chances that you get caught is way, way higher, but if you focus on a third party who is a contractor and has a forum where they hang out, it is less likely that anyone will attribute the attack to a targeted effort," he says.

Companies should harden their end-user systems against compromise by keeping them updated, using the latest -- and, ostensibly, the most secure -- version of an acceptable browser, and removing any plug-ins or other third-party software that could create more holes to be exploited by an attacker.

On the network side, companies should be looking at checking for malicious content before allowing a Web page to run code inside their networks, says Websense's Runald. Reputation systems, which have become popular in the past two years, are not agile enough to respond to a legitimate Web site that becomes compromised. Instead, checking content in real time is necessary, he says.

"It must be done at the point of click and not at the point of entry [into a reputation system]," Runald says, "because we have seen content change between going into the system and the time a user clicks on it."

While Websense does not have independent data on how many companies are dynamically checking Web pages, about one in five PhishMe customers use technology to prefetch Web pages before delivering them to the user, Gréaux says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
1/18/2013 | 2:35:02 PM
re: Expect Less Targeting From This Year's Targeted Attacks
Great findings! In my experience,
when you conduct an application security assessment, whether itGs a static
analysis scan, dynamic analysis scan, penetration test, or code review, you are
going to be presented with a set of vulnerabilities to fix. Often times, there
are more vulnerabilities to be fixed than time to fix them, so how do you
determine which you should address?

I believe the answer is a vulnerability
classification and a prioritization framework. Once you have these in place,
you will have good framework for classifying and responding to discovered
vulnerabilities. If you want to read more about software vulnerability management,
hereGs a great article I think you might find interesting: http://blog.securityinnovation....
Keep up the good work!
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
The Fatek Automation WinProladder Versions 3.3 and prior are vulnerable to an integer underflow, which may cause an out-of-bounds write and allow an attacker to execute arbitrary code.
PUBLISHED: 2021-04-12
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2021-04-12
An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.
PUBLISHED: 2021-04-12
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
PUBLISHED: 2021-04-12
A clear text storage of sensitive information into log file vulnerability in FortiADCManager 5.3.0 and below, 5.2.1 and below and FortiADC 5.3.7 and below may allow a remote authenticated attacker to read other local users' password in log files.