Gunjan Trivedi is executive editor at IDG Media. He is an award-winning writer, editor, and moderator with over a decade of experience in Indian IT, during which he also ran his own business. Send feedback on this column to email@example.com
While cyber security players were quick off the block to acknowledge and start analyzing this large-scale cyber-espionage operation, they have largely been unsuccessful in determining the source nation or identify the actors behind the threat.
About three months before Superstorm Sandy pulverized the eastern seaboard of the United States, a new form of cybercrime had already ripped through the metro areas of Washington D.C. and Massachusetts. The attack took the form of a wave of semi-targeted offensives, in which 35,000-odd unique hosts from about 1,000 companies and government agencies were ambushed in a span of a few days.
The never-before-seen strike pattern is now being called the watering hole attack.
The attack was clearly successful. Over 12 percent of the machines it infected were compromised with zero-day exploits and information-snooping malware. These remote-access Trojan malware were not only capable of performing surveillance and collecting intelligence from inside networks of interest, but they could also clandestinely operate webcams and microphones on compromised machines.
Twelve percent is a staggeringly high number. The average rate of success for infiltration in common drive-by and phishing attacks is pegged at close to five to six percent. In fact, the success rate of spear-phishing is usually a number a tad lower.
The invasion represents a breakaway moment in security. It’s a new phenomenon that threatens to revolutionize the way Advanced Persistent Threats work, making these attacks far more prevalent, efficient, and less detectable.
A New Way to Hunt
While cyber security players were quick off the block to acknowledge and start analyzing this large-scale cyber-espionage operation, they have largely been unsuccessful in determining the source nation or identify the actors behind the threat. They have, however, been able to share its modus operandi—and it demonstrates that criminals are getting smarter and are figuring out more sophisticated ways to improve the effectiveness of highly-targeted campaigns.
The watering hole attack mimics the strategy used by lions in nature—they wait by a watering hole and ambush their prey, hence the name. These attacks are fast emerging as the successful link in the chain of run-up from lying in wait at legitimate but compromised websites to identify and infect multiple of visitors that saunter by, and then proceed to single out identified victims with an extremely targeted spear-phishing attack, without complicated social engineering lures.
This is pretty evident with what happened with the victims in Washington D.C. and Massachusetts. For trojanizing, the websites were very carefully chosen based on geographic proximity and relevance to target of interest. Several legit financial and technology services websites, ones that are usually visited by end-users as they go about doing their daily business from within corporate networks, were compromised with zero-day vulnerabilities in either Microsoft XML Core Services or a Java flaw.
These infected websites redirected drive-by visitors to an exploit site, which checked the machines for their versions of Windows OS and the Internet Explorer. The Java client on the hosts was then compromised and a variant of ‘Gh0st RAT’ malware dropped in, via either a .CAB or .JAR file. This Gh0st RAT is a common Remote Access Trojan that can log keystrokes, remotely operate embedded webcams and microphones, search local files, run arbitrary codes, and transfer files.
A Massachusetts regional financial services firm was the top redirector, where hosts from corporate networks and consumers were compromised the most. Its CSO publicly acknowledged that three zero-day payloads went right through the company’s firewall.
The most disturbing fact is that this was not the only watering hole attack out there. There are close to 300 known variants of the Gh0st RAT espionage tool in the wild, and criminals can constantly add new stealth capabilities to the original code base.
I believe that this new way to hunt may make way for more optimized attack patterns in the future that will evolve to far more sophisticated, highly-targeted and extremely damaging cyber compromises. Be afraid. Be wary.