WATERING HOLES: NO PANACEA TO HIDE FOR TARGETED COMPANIES
We in the information security industry are watching some disturbing trends including the skyrocketing amount of targeted industry attacks. Three we are watching are in mining (precious metals) and shipping electronics (new ways to compromise logging of cargo manifests and electronic tracking systems to use same for drug smuggling by organized crime). The use of “watering holes” is detailed below, the targeting of which is making it easier for criminals to gather information for exploits and theft:
One way malicious actors try to deliver malware to organizations in specific industry verticals is through the use of “watering hole” attacks. Like big game watching their prey, cybercriminals looking to target a particular group (for example, people who work in the aviation industry) will monitor which websites that group frequents, infect one or more of these sites with malware, and then sit back and hope at least one user in the target group visits that site and is compromised.
A watering hole attack is essentially a trust exploit because legitimate websites are employed. It is also a form of spear phishing. However, while spear phishing is directed at select individuals, watering holes are designed to compromise groups of people with common interests. Watering hole attacks are not discerning about their targets: anyone who visits an infected site is at risk.
At the end of April, a watering hole attack was launched from specific pages hosting nuclear related content at the U.S. Department of Labor website. Then, beginning in early May 2013, Cisco researchers observed another watering hole attack emanating from several other sites centered on the energy and oil sector. Similarities, including the specific crafting of an exploit used in both attacks, lend credence to the possibility that the two attacks were related. Research also indicated that many of the sites used the same web designer and hosting provider. This could imply that the initial compromise was due to phished or stolen credentials from that provider.
Protecting users against these attacks involves keeping machines and web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit. Ensuring web traffic is filtered and checked formalware prior to its delivery to the user’s browser is also essential.
We strongly recommend a full environmental, infrastructure and cybersecurity audit to be undertaken by enterprises to ensure all possible state of the industry practices (not just tools) are undertaken and kept up to date at least once a year, whether you are in banking, health care, utilities, retail, education or any other industry facing ever increasing network security challenges in the future.
For more information contact The Saturn Partners, Inc. at www.saturnpartners.com, firstname.lastname@example.org for a no cost analysis for your enterprise environment.